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SECTION  1 


\  INTRODUCTION 

1.1  ASSESSMENT  OBJECTIVES  AND  SCOPE. 

This  document  presents  assessment  procedures  for  the  preliminary  assessment, of 
the  survivability  of  the  FLTSATCOM  satellite  Attitude  and  Velocity  Control  Subsystem 
(AVCS)  to  various  nuclear  weapon  effects  (NWE).  In  addition  to  obtaining  the  assessment 
results  themselves  the  objectives  of  this  assessment  are  primarily  to  exercise  for  the 
first  time  the  NHEP  (Nuclear  Hardness  Evaluation  Procedures)  assessment  methodology  for 
satellites  on  a  real  piece  of  satellite  equipment  and  to  identify  technology  and/or 
data  gaps  that  hinder  the  assessment.  .  The  AVCS  was  selected  first  for  consideration 
because  it  is  rather  compact  (one  majoV'lio*  of  electronics  and  assorted  sensors)  and  at 
the  same  time  it  is  representative  of  satellite  electronics  on  FLTSATCOM.  Other 
FLTSATCOM  subsystems  will  be  considered  later. 

The  term  "preliminary  assessment"  has  a  rather  specialized  meaning  in  the 
context  of  the  NHEP  methodology.  This  methodology  is  reviewed  in  Section  1.2  in  more 
detail,  but  we  would  like  to  indicate  the  major  characteristics  of  a  preliminary 
assessment  as  described  here,  namely,  it  performs  a  quantitative  assessment  of  the  vul¬ 
nerability  of  mission  critical  equipment  of  a  satellite  to  various  NWE  using  existing 
data  as  well  as  simple  algorithms  in  order  to  identify  the  controlling  failure  modes  of 
the  system.  Later  phases  of  the  NHEP  methodology  may  develop  new  data  via  test  or  anal¬ 
yses,  but  this  preliminary  assessment  is  based  on  existing  data  only.  Most  of  the  data 
identified  here  were  obtained  from  two  basic  sources  of  information,  both  of  which  were 
documented  during  the  FLTSATCOM  hardened  satellite  development  program.  These  docu¬ 
ments  are: 

t  FLTSATCOM  Survivability  Critical  Design  Review  Package,  15  July  1974^ 

•  Spacecraft  Hardening  Design  Guidelines  Handbook2^ 

The  former  document  (referred  to  henceforth  as  the  CDR  package)  summarizes  the  hardness 
data  obtained  by  TRW's  Vulnerability  and  Hardness  Laboratory  (V&H)  in  the  course  of  the 
FLTSATCOM  program.  The  latter  document  (referred  to  as  the  Guidelines)  distills  the 
V&H  Lab's  experience  in  contributing  to  the  design  of  hardened  satellite  systems.  The 
adequacy  of  the  data,  for  the  purposes  of  a  preliminary  assessment,  is  discussed  in 
Section  1.3. 
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The  specific  NWE  to  which  the  AVCS  is  assessed  are  the  following: 

•  SGEMP  burnout 

•  TREE  burnout  (photo-current) 

•  permanent  degradation  from  total  dose  (n,  y  and  fission  electrons) 

•  functional  upset  (all  NWE) 

•  radiation  effects  on  nonelectronic  components 

The  NWE  to  which  the  AVCS  is  not  assessed  are  the  following: 

•  EMP  burnout 

•  synergistic  effects  (TREE  +  SGEMP) 

•  Short  term  displacement  damage 

EMP  burnout  is  not  treated  partly  because  it  is  not  considered  a  threat  to  satellites 
in  geosynchronous  orbits,  but  more  importantly  because  we  are  unsure  how  to  relate  EMP 
environments  at  geosynchronous  altitudes  to  weapon  parameters  and  height  of  burst. 

These  parameters  are  important  if  one  wants  to  make  comparisons  of  EMP  to  different  NWE 
originating  from  the  same  weapon(s).  The  last  two  effects  mentioned  above  are  not 
considered  simply  because  no  data  was  acquired  for  them  in  the  original  FLTSATCOM  pro¬ 
gram.  Later  phases  of  the  assessment  beyond  the  preliminary  assessment  would  in  prin¬ 
ciple  address  the  NWE  omitted  in  the  preliminary  assessment. 

Both  the  assessment  procedures  and  the  assessment  itself  which  will  eventu¬ 
ally  follow  are  a  joint  effort  of  TRW  and  ETI.  This  assessment  plan  represents  the 
bringing  together  of  the  following  sources  of  information  which  are  described  in  more 
detail  in  the  sections  which  follow. 

1)  NHEP  methodology  and  flow  charts  (developed  by  ETI):  Section  1.2 

2)  top  level  screen  of  the  AVCS  (performed  by  ETI):  Section  1.4 

3)  statistical  management  of  data  and  assessment  (developed  by  TRW): 

Section  2 

4)  specific  procedures  for  detailed  assessment  (developed  by  TRW): 

Section  3 

The  NHEP  methodology  itself  is  represented  in  a  set  of  general  flowcharts  which  were 

followed  closely  in  setting  up  the  present  assessment  procedures,  taking  into  account 

the  specific  hardening  features  of  FLTSATCOM.  The  top  level  screen,  performed  some- 
31 

time  ago  by  ETI,  '  succeeded  in  isolating  the  subsystems  and  boxes  of  FLTSATCOM  that 
were  both  susceptible  to  various  NWE  as  well  as  critical  to  on-orbit  functions.  It 
should  be  pointed  out  that  some  10,000  failure  modes  exist  on  the  AVCS  subsystem  alone, 


and  that  careful  management  of  the  data  using  statistical  tools  is  a  critical  part  of 
the  assessment  plan.  By  specific  procedures  we  mean  the  detailed  formulas,  graphs, 
and  algorithms  to  be  followed  in  the  assessment  of  each  failure  mode. 

The  organization  of  the  assessment  is  discussed  in  Section  1.5. 

The  specific  procedures  of  the  assessment  for  each  NWE  are  discussed  in 

Section  3. 

1.2  OVERVIEW  OF  THE  NHEP  METHODOLOGY. 

Before  presenting  the  details  of  our  assessment  plan  we  would  like  to  dis¬ 
cuss  some  topics  related  to  the  background  of  NHEP-S  in  order  to  place  our  present 
efforts  into  an  understandable  context.  The  topics  to  be  discussed  here  are  as 
fol lows: 

t  what  is  NHEP  and  its  overall  objective  relative  to  a  satellite  assessment 
methodology? 

•  who  would  use  NHEP? 

•  what  does  the  NHEP  methodology  look  like? 

•  what  progress  has  been  made  in  developing  NHEP? 

What  is  NHEP? 

NHEP  is  a  methodology  which  produces  in  principle  a  complete  assessment  of  a 
system  to  all  nuclear  weapon  effects.  It  was  originally  developed  by  Effects  Technology 
Incorporated  (ETI)  and  applied  to  the  problem  of  assessing  re-entry  vehicles. 

Can  NHEP  be  applied  to  satellites? 

While  the  NHEP  re-entry  vehicle  program  was  successful,  it  should  be  pointed 
out  that  it  was  not  at  all  clear  that  the  methodology  could  be  applied  to  satellites  for 
the  following  reasons:  1)  the  vulnerability  of  electronics  had  not  been  assessed  in 
the  earlier  program,  and  2)  the  number  of  potential  failure  modes  in  a  satellite  system 
is  at  least  an  order-of-magnitude  larger  than  for  re-entry  vehicles.  For  these  reasons 
our  present  efforts  have  been  devoted  to  determining  the  feasibility  of  applying  NHEP 
to  satellites.  By  feasibility  we  mean  the  following: 

t  one  should  be  able  to  write  down  a  complete  methodology  for  evaluating 
satellite  hardness; 

•  there  should  be  no  insurmountable  technology  or  data  gaps,  i.e.  with 
some  reasonable  amount  of  funding,  or  perhaps  with  a  revision  of  the 
methodology,  one  can  foresee  obtaining  sufficient  data  to  exercise 
NHEP; 
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•  the  methodology  should  be  demonstrated  on  a  real  piece  of  satellite 
equipment,  e.g.  a  subsystem  of  a  satellite. 

What  is  the  output  of  NHEP? 


The  output  of  NHEP  consists  of  the  following.  First  and  foremost  NHEP  pro¬ 
duces  damage  functions  which  represent  the  satellite's  probability  of  survival  P<.  as 
a  function  of  environment,  as  shown  in  Figure  1.2-1,  where  the  distribution  of  P<- 
depends  on  both  random  and  bias  uncertainties  associated  with  the  input  data.  By 
arraying  where  possible  damage  functions  for  each  nuclear  weapon  environment  on  the 
same  graph,  the  virtues  of  NHEP  become  readily  apparent,  namely, 

•  NHEP  allows  management  control  of  resources  in  either  a  satellite  harden¬ 
ing  program  or  an  assessment  effort  or  both  by  concentrating  effort  on 
the  controlling  failure  modes; 

•  NHEP  determines  not  only  the  degree  of  survivability  at  a  specified  cri¬ 
teria  environment,  but  also  the  environment  (stress  level)  at  which  the 
satellite  fails  for  nuclear  weapon  effect; 

•  NHEP  identifies  gaps  in  the  technology  base. 


CRITERIA  ENVIRONMENT 


ENVIRONMENT 

Figure  1.2-1.  NHEP-S  Damage  Functions 


Who  would  use  NHEP? 

We  envision  that  NHEP-S  could  be  used  by  the  following  organizations: 

•  Planners,  who  for  example  are  interested  in  satellite  survivability 
as  a  function  of  threat  scenarios 

•  Procurement  groups,  who  want  to  know  if  it  is  feasible  to  design 
hardened  satellites  and  the  associated  costs 

•  technology  development  groups,  who  might  want  to  identify  technology 
needs,  as  well  as  prioritize  them 

•  satellite  program  planners,  who  want  to  allocate  hardness  resources 
in  a  satellite  program. 

From  the  point  of  view  of  a  system  house,  NHEP-S  (provided  it  were  tied  into  system 
level  requirements  in  a  satellite  program)  would  have  an  impact  because  it  would 
enable  program  planners  to  allocate  hardening  resources  among  different  nuclear 
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weapon  effects.  Managers  could  decide,  for  example,  whether  further  hardening  was 
required  in  the  course  of  a  program,  or  what  kinds  of  additional  data  in  the  form  of 
tests  or  improved  analysis  were  required.  This  contrasts  with  the  present  situation 
where  hardness  to  each  nuclear  weapon  effect  is  treated  independently,  regardless  of 
its  relative  importance  to  the  satellite's  overall  hardness. 

In  developing  NHEP-S,  we  have  consciously  attempted  to  make  it  an  integral 
tool  in  a  satellite  hardening  program.  We  do  not  mean  to  imply,  however,  that  the 
methodology  could  not  be  applied  as  a  straight  assessment  tool  (i.e.,  after  the  system 
is  built),  nor  that  it  could  not  be  applied  to  an  unhardened  system. 

Overview  of  NHEP  Methodology. 

An  overview  of  NHEP  is  shown  in  Figure  1.2-2.  Basically  there  is  a  five  step 
procedure  with  an  inner  DO  loop  on  the  last  three  steps  indicating  subphases  of  the 
assessment.  These  subphases  are  called  "preliminary  assessment,"  "data  base  imnrove- 
ment,"  and  "final  assessment." 

Step  1:  Determination  of  the  management  acceptance  criteria.  Here  the 

manager  decides,  for  example,  the  minimum  probability  of  survival 
he  will  accept  at  a  criteria  environment  or  he  may  assign  screen¬ 
ing  criteria  for  circuits  based  on  the  concept  of  a  failure  budget, 
i.e.,  the  failure  rate  for  circuits  for  SGEMP  burnout  is  only  2%  at 
a  criteria  environment.  (Of  course,  the  manager  may  also  choose 
not  to  impose  any  criteria  on  the  assessment.) 

Step  2:  Top  level  screen  or  "logic"  screen  where  the  system  is  screened 
based  on  the  criticality  of  circuits  and  whether  they  are  used  to 
perform  on-orbit  functions. 

Step  3:  The  assignment  by  the  manager  of  assessment  and/or  hardening 
resources  for  each  phase  of  the  assessment. 

Step  4:  Carrying  out  the  assessment  procedures  for  each  phase. 

Step  5:  Screening  of  circuits  after  each  assessment  phase  in  order  to 
concentrate  on  the  controlling  circuit  failure  modes. 

Note  that  the  subphases  of  the  assessment  imply  carrying  out  procedures  of  increasing 
complexity.  Whereas  step  2  (called  "Top  Level  Screen")  is  a  logic  screen  (i.e.,  no 
detailed  data,  formulas,  etc.)  the  assessment  subphase  called  "preliminary  assessment" 
involves  the  use  of  existing  data  along  with  simple  algorithms.  These  results  are  used 
to  screen  the  circuits,  thus  concentrating  attention  in  the  later  assessment  phases  on 
the  controlling  failure  modes.  The  last  two  phases  of  assessment  involve  various 
levels  of  hardening  options,  development  testing,  model  improvement,  and  finally 
system/subsystem  level  validation  testing. 
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NHEP-S  PROCEDURE  OVERVIEW 


•  SUBSYSTEM/SYSTEM  TEST 

•  DETAILED  MODELING 


What  progress  has  been  made? 

For  the  past  year  TRW  and  ETI  have  been  developing  the  NHEP  methodology  whose 
overall  objective  is  to  form  the  basis  of  an  assessment  of  a  satellite  system  to  all 
nuclear  weapon  effects.  The  immediate  objective  of  our  present  efforts  has  been: 

1)  to  see  if  it  is  possible  to  write  down  an  appropriate  methodology; 

2)  to  see  if  there  are  any  insurmountable  technology  gaps  which  would 
prevent  the  application  of  the  methodology; 

3)  to  demonstrate  the  methodology  by  application  to  a  satellite 
subsystem. 

Progress  in  reaching  these  goals  (November  1979)  is  as  follows: 

1)  flowcharts  for  all  of  the  various  nuclear  weapons  effects  have  been 
written  (ETI); 

2)  specific  procedures  have  been  developed  by  TRW  for  the  treatment  of 
SGEMP  and  TREE  burnout,  permanent  degradation,  and  an  approach  to 
the  assessment  of  functional  upset  has  been  outlined;  ETI  has  written 
specific  procedures  for  radiation  effects  on  nonelectronic  components 
including  thermomechanical  damage  and  material  degradation.  These 
procedures  are  presented  in  Section  3. 

3)  the  so-called  top-level  screen  of  the  AVCS  assessment  which  ETI  per¬ 
formed  some  time  ago  is  reviewed  in  Section  1.4. 

1.3  OVERVIEW  OF  FLTSATCOM  SURVIVABILITY  DATA. 

By  definition  the  preliminary  assessment  of  a  satellite  relies  on  the  exist¬ 
ing  data  base.  In  this  case  the  existing  survivability  data  was  collected  in  the 
course  of  the  development  and  qualification  test  program  for  FLTSATCOM.  However,  it 
cannot  be  overemphasized  that  this  data  was  not  collected  to  support  an  assessment 
effort.  Rather  it  was  collected  to  support  the  specific  customer  imposed  requirements 
related  to  survivability.  The  corrolary  is  that  the  existing  data,  for  our  purposes  at 
least,  is  often  incomplete  and/or  not  in  the  most  desirable  form. 

We  are  not  daunted  by  this.  In  fact  the  identification  of  missing  data  in 
the  FLTSATCOM  data  base  may  cause  a  re-evaluation  of  the  kinds  of  data  actually  col¬ 
lected  in  future  hardened  satellite  programs.  For  our  present  purposes,  however,  we 
want  to  emphasize  that  the  survivability  data  was  tailored  both  to  the  specific  harden¬ 
ing  decisions  made  in  the  FLTSATCOM  program  as  well  as  the  customer  imposed  require¬ 
ments.  For  this  reason  it  is  appropriate  here  to  discuss 

•  the  survivability  requirements  on  FLTSATCOM 

•  the  available  data  for  each  of  the  NWE 
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There  are  two  points  to  keep  in  mind  about  the  FLTSATCOM  hardening  effort. 
First,  FLTSATCOM  was  designed  to  meet  a  set  of  specified  criteria  environments,  i.e., 
hardness  to  so  much  X-ray,  y,  neutron  flux,  as  well  as  total  dose.  The  verification 
requirements  were  that  individual  parts  or  components  be  tested  at  anywhere  from  1  to 
10  times  the  specified  criteria  environment.  From  the  point  of  view  of  NHEP  this  rep¬ 
resents  a  rather  severe  impact  since  NHEP  is  concerned  not  only  with  criteria  environ¬ 
ments,  but  also  much  higher  environment  levels.  In  other  words,  at  what  threat  level 
does  a  satellite  break?  For  this  reason,  the  FLTSATCOM  data  is  often  incomplete  for 
the  purposes  of  the  NHEP  assessment. 

The  second  point  is  that  the  development  and  verification  tests  done  on 
FLTSATCOM  were  concentrated  mostly  at  the  piece-part  level  (n,  y,  FXR)  with  some  sub¬ 
system  level  upset  testing  using  the  FXR  (Vulcan).  This  situation  is  partly  due  to 
the  fact  that  the  technology  for  system  level  tests  (in  the  form  of  suitable  simulators 
and  acceptable  procedures)  was  not  available  at  the  time  of  the  RFP  and  the  customer 
was  unwilling  to  impose  unrealizable  requirements.  For  example,  the  SGEMP  burnout 
hardness  verification  was  required  to  be  performed  by  analysis  only,  and  the  scheduled 
system  level  EMP  test  was  cancelled  because  the  threat  environment  was  later  judged  to 
be  too  small  to  affect  the  electronics.  It  is  expected  that  in  the  future,  as  the 
technology  progresses,  the  appropriate  system  or  subsystem  level  tests  will  become  a 
standard  feature  of  the  hardening  programs. 

Again,  the  lack  of  system  or  subsystem  level  test  data  places  constraints  on 
the  assessment.  For  example  we  assume  in  most  cases  that  a  part  fails  (burns  out)  or 
degrades  independent  of  every  other  part.  If  one  assumes  this  is  true,  and  proceeds 
to  design  a  test  program  based  on  lot  sample  testing  of  parts,  it  is  difficult  to  see 
how  an  assessment  program  based  on  available  data  can  verify  this  assumption. 

Two  final  difficulties  associated  with  lot  sample  testing:  On  FLTSATCOM 
every  single  lot  of  parts  (300-400  lots)  had  5  parts  sampled  at  some  overstress  level 
relative  to  a  criteria  environment.  It  is  our  assertion  that  the  amount  of  limited 
testing  done  is  insufficient  of  itself  to  provide  statistical  confidence  in  hardness. 

It  should  be  pointed  out,  however,  that  the  lot  sample  testing  was  a  customer  imposed 
requirement  in  order  to  establish  a  more-or-less  uniform  standard  of  acceptability  on 
the  part  suppliers. 

This  brings  up  the  issue  of  process  variability  and  process  changes  leading 
to  different  radiation  vulnerability  for  the  same  generic  part,  sometimes  even  from  the 
same  manufacturer.  It  was  found  that  such  process  sensitivity  resulted  in  changes  of 
response  of  up  to  an  order-of-magnitude  between  the  design  baseline  data  developed  on 


the  basis  of  the  engineering  tests  and  the  data  exhibited  by  lot  sample  tests  on  pro¬ 
duction  parts.  Such  changes  occasionally  required  design  "fixes"  (e.g.  adding  shield¬ 
ing)  to  compensate  for  the  differences  in  radiation  response.  This  will  require  us  in 
our  assessment  effort  to  run  down  these  design  changes,  which  were  installed  after  the 
CDR  package  was  written. 

The  kinds  of  data  available  on  FLTSATCOM  for  the  NWE  considered  in  this  assess¬ 
ment  are  summarized  in  Table  1.3-1.  Comments  on  the  data  are  indicated  there.  More 
detailed  comments  are  reserved  for  Section  3  where  the  various  NWE  are  discussed  in 
detail . 

1.4  ASSESSMENT  CRITERIA  AND  TOP  LEVEL  SCREEN  FOR  FLTSATCOM. 

The  steps  in  the  NHEP-S  methodology,  up  to  and  including  the  preliminary 
assessment  phase  in  Figure  1.2-2,  are 

1.  set  acceptance  criteria 

2.  perform  top  level  screen 

3.  allocate  program  resources 

4.  perform  preliminary  assessment  and  planning  options 

5.  screen 

We  discuss  the  first  two  here. 

Acceptance  Criteria. 

There  are  a  number  of  requirements  that  a  manager  can  impose  on  an  assess¬ 
ment.  These  might,  for  example,  be  concerned  with  required  accuracy  of  the  calcula¬ 
tions.  Perhaps  the  manager  wants  to  obtain  a  required  probability  of  survival  at  a 
criterion  environment.  Or,  perhaps  no  assessment  acceptance  criteria  are  imposed. 

For  the  present  we  have  not  imposed  any  acceptance  criteria  on  the  prelimi¬ 
nary  assessment  since  we  want  to  see  all  the  implications  of  the  methodology  before 
narrowing  ourselves  down.  One  task  which  we  will  define  for  ourselves  is  to  investi¬ 
gate  the  consequences  of  various  acceptance  criteria  on  subsequent  phases  of  the 
assessment. 

Top  Level  Screen 

Referring  to  Figure  1.2-2  which  gives  the  overview  of  the  NHEP-S  methodology 
the  second  major  step  in  the  methodology  is  the  top  level  screen  which,  without  the 
benefit  of  actual  calculations,  surveys  the  satellite  and  identifies 
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•  what  components  of  the  satellite  are  vulnerable  to  particular  NWE 

•  what  components  are  used  to  perform  on-orbit  functions,  i.e.,  what 
components  are  mission  critical 

If  the  given  component  is  not  used  on  orbit  or  is  invulnerable  to  a  given  NWE,  or  both, 
it  is  discarded. 

The  virtues  of  the  top  level  screen  are  as  follows:  besides  getting  rid  of 
components,  the  top  level  screen 

•  organizes  the  way  in  which  the  satellite  is  viewed  for  potential  dam¬ 
age  to  a  given  NWE 

•  establishes  an  audit  trail  in  the  form  of  a  response/susceptibility 
matri x 

Concerning  the  first  point  the  failure  modes  for  the  various  NWE  considered  in  this 
assessment  are: 

NWE  Failure  Mode 

SGEMP  burnout  circuit 

TREE  burnout  part 

degradation  part 

functional  upset  subsystem  functions 

radiation  effects  on  nonelectronic  components  system 

In  other  words,  the  failure  mode  for  SGEMP  burnout,  for  example,  is  the  failure  of  an 
individual  circuit,  and  in  fact,  these  will  be  identified  in  the  subsequent  assessment 
by  the  box  and  pin  number  at  the  interface  between  incident  cabling  and  interior  box 
circuitry.  In  contrast,  functional  upset  occurs  at  the  subsystem  level  and  is  identi¬ 
fied,  not  by  the  boxes  and  circuitry,  but  by  the  specific  function. 

The  second  point  above,  namely  the  response/susceptibility  matrix,  was  gen¬ 
erated  by  ETI  for  the  entire  FLTSATCOM  system,  i.e.,  the  top-level  screen  of  FLTSATCOM 
is  complete.  The  results  for  the  AVCS  subsystem  are  shown  in  Table  1.4-1.  Those  AVCS 
boxes  which  can  be  eliminated  from  any  further  analysis  and  the  justification  are  indi¬ 
cated.  The  blank  spaces  indicate  those  boxes  that  still  have  to  be  considered  for  the 
indicated  NWE.  A  more  extensive  discussion  of  this  top  level  screen  is  given  in  Ref.  3 
by  ETI. 
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Table  1.4-1. 


Response/Susceptibility  Matrix  for  AVCS  Boxes 


For  each  NWE  the  appropriate  failure  mode  designation  is  indicated  by  the 
following  key 


A 

V 

O 

□ 

blank 


not  credible 

not  lead  to  mission  failure 

not  mission  critical 

not  used  on  orbit 

box  has  not  been  screened  out 


1.5  OVERVIEW  OF  THE  PRELIMINARY  ASSESSMENT. 

The  status  of  the  preliminary  assessment  of  the  AVCS  is  as  follows.  The 
NHEP  methodology  has  been  translated  into  a  set  of  procedures  for  each  NWE  which  will 
be  applied  to  the  AVCS.  The  documents  necessary  for  the  assessment  have  been  gathered 
together;  the  formats  for  collecting  the  data  have  been  identified;  the  statistical 
approaches  to  handling  the  data  have  been  laid  out,  and  the  modeling  approaches  have 
been  developed. 

Our  tentative  schedule  for  completing  the  assessment  based  on  these  proce¬ 
dures  is  late  January  1980.  At  the  moment,  since  an  assessment  of  a  satellite  has 
never  been  performed  before,  we  do  not  know  if  our  schedule  is  optimistic  or  pessi¬ 
mistic.  In  any  case,  while  the  assessment  results  themselves  will  be  undoubtedly 
interesting,  one  of  our  objectives  is  to  debug  the  methodology,  and  if  necessary  we 
will  halt  the  assessment  to  rectify  deficiencies  in  the  methodology. 

For  purposes  of  this  assessment  each  of  the  NWE  is  treated  independently.  This 
means  that  each  of  the  NWE  can  be  assessed  separately,  i.e.,  by  different  individuals 
working  independently.  This  makes  the  organization  of  the  assessment  easy,  and  in  fact 
an  actual  assessment  of  a  system  would  parcel  out  NWE  among  different  departments  or 
performing  organizations. 

What  is  different  about  NHEP-S  is  that  the  performers  come  back  to  the  assess¬ 
ment  manager  with  damage  functions  for  each  NWE.  The  damage  functions  then  get  com¬ 
pared,  and  resources  get  allocated  based  on  the  damage  functions. 

It  is  this  interactive  feature  of  NHEP  that  we  wish  to  highlight,  and  this 
is  shown  in  Figure  1.5-1.  At  the  point  where  all  the  preliminary  damage  functions  are 
reported  to  the  manager,  a  set  of  planning  options  will  be  investigated.  These  options 
will  be  resolved  by  considering  what  might  happen  to  the  damage  functions  if  each  of 
them  are  exercised.  The  cost  of  exercising  the  option  will  also  be  considered.  For 

example,  once  we  see  the  damage  function  for  SGEMP  burnout,  we  may  ask  what  is  the  con¬ 

sequence  of  using  semi-rigid  cabling,  as  opposed  to  the  standard  braid  shield  in  the 
AVCS.  (The  answer  is,  the  additional  size  and  weight  make  this  option  unattractive,  but 
the  fact  that  the  option  is  considered  and  documented  is  very  useful  to  a  program  man¬ 
ager.)  Other  options  considered  would  be  additional  tests  and/or  improving  the  models. 
The  resulting  tradeoffs  will  define  what  happens  on  the  next  phase  of  the  assessment. 
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SECTION  2 


NHEP  STATISTICAL  APPROACH 

2.1  OVERVIEW  OF  STATISTICAL  MANAGEMENT  OF  PRELIMINARY  ASSESSMENT. 

Our  objective  in  this  section  is  to  describe  our  approach  to  the  statistical 
aspects  of  NHEP  during  the  Preliminary  Assessment  phase.  We  assume  in  principle  that 
prior  to  this  phase  certain  boundary  conditions  have  been  defined.  These  include 
assessment  accuracy  acceptance  criteria  and  identification  of  mission  critical  failure 
modes  based  upon  a  functional  analysis.  During  the  preliminary  assessment  phase  the 
assessment  is  to  be  accomplished  using  only  existing  data  and  models.  Naturally  the 
accuracy  of  this  first  phase  of  the  assessment  may  not  satisfy  the  acceptance  criteria 
If  this  is  the  case  then  plans  must  be  developed  for  improving  the  data  and  modeling 
base  for  the  final  assessment.  The  management  function  then  enters  to  allocate 
resources  to  implement  the  plans  during  the  next.  Data  Base  Improvement,  phase. 

In  this  chapter  we  restrict  our  attention  to  the  statistical  aspects  of  the 
preliminary  assessment  phase.  The  following  steps  are  involved:  1)  development  of 
the  necessary  failure  mode  inputs  and  models  from  existing  data,  2)  extraction  of  the 
necessary  system  data  from  drawings,  3)  performance  of  required  statistical  calcula¬ 
tions  on  the  data  base  to  generate  statistical  assessment  results  including  damage 
functions.  These  show  the  distribution  of  resistance  or  strength  of  the  satellite 
system  and  its  component  subsystems  with  measures  of  confidence  in  these  results. 

And  finally  one  considers  how  statistical  decision-aiding  information  is  generated 
such  that  management  can  use  it  to  allocate  resources  during  the  next  assessment  phase 
namely,  data  base  improvement. 

An  overview  of  the  assessment  information  flow  during  the  preliminary  screen 
phase  is  shown  in  Figure  2.1-1.  We  first  discuss  this  figure  in  general  terms,  and 
then  follow  up  with  a  specific  statistical  example  in  Section  2.2.  Start  with  a  typi¬ 
cal  failure  mode  depicted  in  the  lower  left  of  the  figure.  We  will  consider  such 
failure  modes  in  three  parts,  the  cable  and  its  lead  to  the  pin,  the  subsequent  pro¬ 
tective  circuitry,  and  the  one  or  more  devices  such  as  transistors  which  are  subject 
to  failure.  As  shown  in  the  center  panel,  we  will  define  a  certain  number  of  classes 
for  each  of  these.  For  example,  one  such  device  class  may  be  the  2N2222  transistor. 

We  will  define  a  number  of  classes  appropriate  to  the  resolution  of  accuracy  of  the 
available  data. 
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Figure  2.1-1.  Overview  of  the  Statistical  Management  of  Preliminary  Assessment 


In  the  case  of  the  protective  circuits,  a  definition  of  a  class  will  include 
the  circuit  topology  and  values  of  parameters  for  its  components.  In  the  case  of 
cables,  the  classes  will  define  the  cable  type  and  length. 

For  each  failure  mode  we  will  also  identify  the  most  appropriate  failure 
model  which  combines  the  parameter  values  of  the  various  classes  of  parameters  asso¬ 
ciated  with  cable,  protective  circuitry  and  vulnerable  device. 

It  is  important  to  notice  that  even  if  there  may  be  thousands  of  individual 
failure  modes,  organizing  the  data  base  in  this  fashion  involves  a  reasonably  limited 
amount  of  effort.  Suppose  for  example  that  there  are  20  classes  each  for  cables,  pro¬ 
tective  circuits,  and  devices.  This  will  require  accumulating  data  for  only  a  total 

of  60  different  classes.  However,  as  shown  by  the  three-dimensional  array  for  models, 

3 

these  can  be  combined  in  20  =  8000  different  ways.  Admittedly  not  all  of  these  may 
be  physically  meaningful,  but  nevertheless  the  point  is  clear. 

The  kind  of  data  to  be  collected  is  indicated  for  the  2N2222  transistor  on  the 
front  data  card  of  the  center  panel.  For  this  transistor  we  need  inputs  on  the  reverse 
breakdown  voltage,  VQ,  the  bulk  resistance,  rB,  and  the  Wunsch  damage  constant,  k. 

The  statistical  input  data  for  such  parameters  can  be  in  a  variety  of  formats.  For 
example,  if  test  data  is  available,  we  may  input  the  sample  mean,  standard  deviation, 
and  number  of  tests  that  were  used  to  obtain  this  data.  For  this  format  we  keypunch 
an  S  in  the  first  column  of  the  input  card.  Some  parameters  may  be  subject  to  uncer¬ 
tainty  but  there  may  exist  no  test  data.  Then  we  keypunch  an  L  in  the  first  column, 
followed  by  the  name  of  the  variable,  its  mean,  and  measures  of  the  uncertainty  based 
upon  engineering  judgment.  Other  parameters  which  are  constants  will  receive  a  C  in 
the  first  column,  followed  by  the  name  and  the  value  for  the  constant.  Other  input 
formats  may  be  desirable  and  can  easily  be  defined  in  a  similar  fashion.  In  the  case 
of  protective  circuits,  the  inputs  would  include  the  circuit  topology  and  values  for 
the  circuit  elements.  Naturally  some  of  these  circuit  elements  may  be  subject  to  uncer 
tainty,  which  will  be  described  in  the  inputs. 

When  the  data  base  has  been  organized  in  this  fashion,  it  is  summarized  in 
the  form  of  a  manual  which  is  used  to  support  acquisition  of  the  system  data.  System 
data  can  be  acquired  in  a  variety  of  fashions.  The  best  way,  of  course,  would  be  to 
acquire  it  during  the  system  design.  In  our  diagram,  however,  we  suppose  we  are 
assessing  an  existing  system.  Thus,  we  must  extract  the  system  data  from  system  draw¬ 
ings.  Depending  upon  the  complexity  of  the  data,  this  may  be  a  large  job,  as  sug¬ 
gested  by  the  piles  of  drawings  towering  over  our  data  collector  in  the  drawing.  His 
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job  is  to  examine  the  drawings  for  each  failure  mode,  determine  the  appropriate 
classes  for  the  cable  protective  circuits  and  devices  of  the  failure  mode,  and  enter 
these  into  the  computer. 

This  is  a  critical  activity  of  the  assessment,  and  one  can  imagine  the  pos¬ 
sibility  of  errors  occurring.  It  appears  likely  therefore,  that  in  the  assessment  of 
complex  system,  a  quality  control  activity  should  be  instituted  to  assure  a  suffi¬ 
ciently  low  error  rate. 

The  computer  will  be  programmed  to  tabulate  this  data,  as  shown  in  List  1, 
Figure  2.1-1.  There  we  have  identified  classes  and  failure  modes  by  integers.  An 
alphanumeric  identifier  will  be  equally  acceptable,  and  may  prove  more  informative. 

The  computer  will  then  summarize  List  1  into  List  2.  To  do  this  the  com¬ 
puter  will  count  the  number  of  failure  modes  occurring  in  each  element  of  the  three- 
dimensional  classification  array.  This  may  result  in  a  much  abbreviated  list. 

Next,  the  computer  will  extract  from  the  data  base  the  necessary  input  data 
and  the  failure  model  for  each  failure  class.  The  survivability  statistics  are  then  cal 
culated  for  each  failure  class.  These  will  be  displayed  both  for  a  single  failure  mode 
and  also  for  the  combination  of  all  of  the  failure  modes  in  the  failure  class.  The 
method  of  calculating  these  survivability  statistics  will  be  described  in  detail  below. 
The  survivability  statistics  will  include  small  sample  statistics  such  as  the  median, 
standard  deviation,  and  the  effective  number  of  tests.  The  effective  number  of  tests 
is  derived  from  the  test  data  on  the  input  parameters,  and  will  be  more  fully  explained 
in  the  example  in  Section  2.2. 

The  computer  will  then  screen  the  failure  classes.  Based  upon  the  surviva¬ 
bility  statistics  for  each  failure  class,  the  computer  will  identify  the  controlling 
failure  classes.  The  other  failure  classes  affect  the  system  or  subsystem  damage 
functions  only  negligibly,  and  hence  may  be  deleted  from  more  detailed  evaluation  in 
the  next,  Data  Base  Improvement  phase.  The  method  of  screening  the  failure  classes 
will  be  described  in  the  example. 

The  computer  will  then  combine  the  controlling  failure  class  survivability 
statistics  to  obtain  damage  functions  for  the  system  and  major  subsystems  as  desired. 

The  damage  function  is  the  distribution  of  fluences  that  fail  the  system  and  is  given 
as  a  function  of  statistical  confidence. 

The  computer  will  then  proceed  to  provide  decision-aiding  information  for 
planning  the  data  base  improvement  activities  of  the  next  phase.  To  this  end  a  wide 
variety  of  parameters  will  be  ranked  for  their  sensitivity  to  system  uncertainty  and 
hardness. 
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For  example,  subsystems  may  be  ranked  for  their  percentage  contribution  to 
system  level  uncertainty.  They  can  also  be  ranked  according  to  hardness  sensitivity 
coefficients.  The  method  of  deriving  this  decision-aiding  information  is  described 
in  the  example. 

Test  planning  inputs  will  also  be  generated.  As  was  mentioned  the  SANE  com¬ 
puter  code  can  combine  test  data  on  inputs  to  obtain  equivalent  test  data  in  the  form 
of  small  sample  statistics  for  a  higher  system  level.  For  example,  test  data  on 
parameters  can  be  combined  to  obtain  equivalent  test  data  at  the  circuit  level.  Test 
data  at  the  circuit  level  can  be  combined  to  obtain  equivalent  test  data  at  the  box 
level.  Box  level  test  data  can  be  combined  to  the  subsystem  level,  which  in  turn  can 
be  combined  to  the  system  level.  As  a  result  we  can  directly  measure  the  benefit  of 
testing  done  at  any  of  these  levels  on  the  uncertainty  in  the  survivability  statistics 
of  the  system  level.  When  this  capability  is  combined  with  information  on  the  cost, 
feasibility,  and  time  requirements  for  testing  at  any  of  these  levels,  we  have  a  very 
useful  tool  to  support  cost-effective  test  planning.  This  kind  of  information  is  indi¬ 
cated  at  the  bottom  of  the  output  panel  in  Figure  2.1-1.  and  its  method  of  calculation 
will  be  described  in  the  example  which  follows. 

2.2  SAMPLE  STATISTICAL  PROBLEM. 

Problem  Description 

The  sample  problem  is  to  derive  damage  functions  for  five  mission  critical 
circuits  exposed  to  an  EMP  environment.  By  working  out  this  calculation  in  this  small 
sample,  the  statistical  procedures  to  be  employed  in  the  AVCS  assessment  using  the 
SANE2  statistical  analyses  code  for  the  thousands  of  failure  modes  that  comprise  the 
AVCS  will  become  clear. 

Damage  Function  Model 

We  require  a  damage  function  model*  for  each  circuit  of  our  system.  The 
strength  and  stress  may  be  expressed  in  terms  of  a  variety  of  quantities,  including 
(but  not  limited  to)  the  threshold  current,  voltage,  or  power  just  needed  to  cause 


The  theory  of  damage  function  modeling  is  presented  in  W.H.  Rowan,  "Recent  Advances  in 
Failure  Analysis  by  Statistical  Techniques,"  Shock  and  Vibration  Bulletin,  Sept  1977, 
Naval  Research  Laboratory,  Office  of  the  Director  of  Defense  Research  and  Engineering. 
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damage,  and  the  response  current,  voltage,  or  power  due  to  the  EMP  threat,  respectively. 
The  failure  mode  is  the  burnout  of  a  semiconductor  junction.  In  order  to  compare  an 
event  at  a  microscopic  level  (i.e.,  burnout)  to  the  environment  incident  on  the  system, 
the  model  must  translate  either  threshold  and/or  threat  to  a  common  physical  point. 
Common  choices  of  this  point  are: 

-  External  to  the  system:  propagate  the  threshold  quantity  out  through 
the  system  to  obtain  the  level  of  the  environment  which  causes  failure, 
then  compare  to  threat  environment, 

-  At  the  part:  propagate  the  environment  down  through  the  system  to 
obtain  the  response  level  delivered  to  the  part, then  compare  to  the 
part  threshold, 

-  At  the  pin:  propagate  environment  down  to  and  threshold  up  to  the  con¬ 
nector  pin  on  an  electronics  box, then  compare. 

In  the  following  example  the  point  of  comparison  is  at  the  part  (or  equivalently  at 
the  pin  since  we  will  assume  that  the  vulnerable  part  is  installed  at  the  pin  without 
intervening  circuitry). 

Next,  we  postulate  the  model  using  peak  voltage  as  the  measure  of  response.* 

First,  express  the  relationship  between  an  external  electric  field  and  the 
EMP  voltage  at  the  end  of  a  cable  as  the  product  of  transfer  functions,  i.e., 


V 


E 


T1T2T3 


(2.2-1) 


where 

EQ  =  peak  electric  field  strength 

Tj  =  bulk  external  surface  current/external  electric  field 

T2  =  cable  shield  current/bulk  external  surface  current 

=  cable  voltage/cable  shield  current  (transfer  impedance). 

This  voltage  V^.  is,  then,  the  local  measure  of  stress.  In  a  real  system  we  would 
expect  the  mean  values  of  some,  or  all,  of  the  functions  Tp  T2,  T2  to  vary  from 
circuit  to  circuit  as  a  result  of  configuration  variations  in  cable  type,  dimensions, 
and  lay. 


The  EMP  modeling  follows  that  of:  C.E,  Wuller,  "Missile  EMP  Safety  Margins,"  TRW, 
4733.4.79-004,  January  1979. 
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To  model  the  local  threshold  or  failure  voltage,  assume  each  cable  has  ter¬ 
minal  protection  in  the  form  of  back-to-back  Zener  diodes.  Choose  the  reverse  biased 
diode  as  the  failure  mode.  The  failure  voltage  is  given  by 


Vp  =  V  +  IF  R 


(2.2-2) 


where 

V  =  the  diode's  breakdown  voltage 
R  =  its  bulk  resistance 
Ip  =  the  current  at  failure. 

Next,  we  construct  a  conventional  device  power  model  for  the  failure  current.*  The 
failure  power  is  given  by 


Pp  =  Ip  V  +  IF‘  R 


(2.2-3) 


and  can  be  equated  to  the  Wunsch-Bell  parameter  of  square  pulse  failure  data 


PF  =  Kt 


-1/2 


(2.2-4) 


where 


K  =  the  damage  constant 
t  =  the  pulse  width. 

Equating  (2.2-3)  and  (2.2-4)  and  solving  for  the  failure  current  yields 


-  V 


+  y  v2  + 


4R  Kt 


-1/2 


2R 


(2.2-5) 


★ 

Such  models  are  discussed  in  R.A.  Croxale  and  A.K.  Thomas,  "Subsystem  Nuclear  Vulnera¬ 
bility  Assessment  Methodology,"  TRW,  20.3-A018,  March  1977. 


Then,  substituting  back  into  (2.2-2)  the  failure  voltage  becomes 


_  V  +  \/ V2  +  4R  Kt"1//2 
F  2 


(2.2-6) 


This  failure  voltage,  Vp,  is  then,  the  measure  of  the  strength  of  the  circuit.  Note 
the  dependence  of  Vp  on  the  device  parameters  of  a  given  circuit. 

Finally,  we  defi ne  the  circuit  safety  margin  as 


(2.2-7) 


Subsequently,  we  will  want  to  linearize  (2.2-7).  Frequently  this  is  facilitated  by 
working  in  log-space.  Converting  the  above  yields 

m  =  {.n  M  =  £n  Vp  -  £n  Vp  (2.2-8) 


Note  that  with  this  definition  of  safety  margin  we  have  made  m  <  0  the  criteria  for 
burnout.  The  question  of  whether  this  criteria  is  accurate  can  only  be  answered  by 
testing. 

The  Statistical  Model 

Our  objective  now  is  to  derive  a  statistical  model  for  probability  of  damage. 
An  overview  of  the  statistical  development  is  shown  in  Figure  2.2-1.  In  that  figure 
the  physical  model  derived  above  is  shown.  We  will  linearize  this  model.  To  accom¬ 
plish  this  for  the  sample  problem  we  will  use  the  linear  terms  of  a  Taylor  series 
expansion,  although  the  SANE2  code  employs  a  numerical  method  for  accomplishing  the 
same  end. 

We  will  also  require  test  data  on  the  statistical  inputs.  The  format  is  shown 
in  the  lower  left  of  Figure  2.2-1.  Suppose  we  are  testing  to  obtain  data  on  a  certain 
transistor,  say  2N2222.  We  select  a  transistor  at  random  and  measure  its  reverse  cur¬ 
rent  breakdown  voltage,  V,  its  bulk  resistance,  R,  and  its  Wunsch  parameter  K.  We  thus 
have  a  vector  of  three  numbers  for  this  particular  transistor.  We  repeat  this  proc¬ 
ess  a  certain  number  of  times,  each  time  obtaining  a  vector  of  the  three  measured  val¬ 
ues.  We  have  obtained  a  sample  of  test  data.  Such  data  can  be  analyzed  to  obtain  the 
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Figure  2.2-1,  Information  Flow  for  Statistical  Analysis  in  Preliminary  Assessment 


mean  and  sample  covariance  matrix.  In  this  sample  calculation  we  shall  neglect  corre¬ 
lations.  The  panel  at  the  lower  left  in  Figure  2.2-1  shows  the  resulting  data,  includ¬ 
ing  the  sample  mean  and  sample  standard  deviation  for  the  three  variables.  The  two 
right  hand  columns  in  that  panel  show  the  amount  of  test  data,  or  sample  size,  used  to 
obtain  the  mean  and  the  standard  deviation.  The  number  of  observations,  g,  is  the 
number  of  tests  used  for  estimating  the  mean;  and  the  degrees  of  freedom,  f,  are  the 
number  of  tests  available  to  estimate  the  standard  deviation.  In  general,  g  and  f 
need  not  be  related.  The  small  sample  statistics  then  consist  of  the  four  statistics, 
mean,  standard  deviation,  number  of  observations,  and  degrees  of  freedom.  More  gener¬ 
ally  we  could  include  the  correlations  between  the  input  variables,  but  these  are  being 
neglected  for  this  sample  calculation. 

We  now  propagate  the  input  small  sample  statistics  through  the  linearized 
physical  model  to  obtain  small  sample  statistics  at  the  circuit  level.  The  equations 
are  shown  in  a  center  block  of  Figure  2.2-1.  The  four  equations  shown  there  permit 
us  to  calculate  the  small  sample  statistics  for  a  circuit,  based  upon  test  data  on  the 
input  parameters.  Our  method  thus  provides  us  with  two  alternatives  for  obtaining  cir¬ 
cuit  level  test  statistics:  1)  we  can  test  the  input  parameters  to  a  circuit  and 
derive  test  statistics  at  the  circuit  level,  or  2)  we  could  test  the  circuit  directly, 
thereby  obtaining  test  statistics.  The  choice  between  the  alternatives  can  be  based 
upon  economic  and  feasibility  considerations.  It  is  most  important  to  recognize  that 
while  in  this  example  we  are  combining  input  parameter  test  data  to  obtain  circuit 
test  statistics,  the  same  approach  can  be  used  at  other  levels,  such  as  testing  at  the 
box  or  subsystem  levels  and  integrating  the  resulting  test  statistics  up  to  the  system 
level.  A  full  discussion  of  test  planning  based  upon  such  alternatives  is  beyond  the 
scope  of  this  report. 

Having  obtained  the  small  sample  statistics  at  the  circuit  or  system  level, 
we  can  then  proceed  to  use  these  for  obtaining  the  outputs  shown  at  the  right  in  Fig¬ 
ure  2.2-1.  In  this  report  we  will  briefly  indicate  how  two  of  these  outputs  can  be 
obtained. 

We  will  now  derive  the  statistical  model  for  probability  of  damage,  i.e., 

Pg  =  Probability  of  Damage  =  Prob  (m  <  0)  (2.2-9) 

By  use  of  Eq.  (2.2-8)  this  becomes 

PD  =  Prob  Un  Vp  £  in  V£)  (2.2-10) 
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In  Eq.  (2.2-10)  note  that  Vp  and  V£  are  treated  as  random  variables,  since  we 
assume  inputs  such  as  transfer  functions  and  diode  characteristics  are  random. 

To  evaluate  we  will  assume  that  all  random  input  variables  are  log  norm¬ 
ally  distributed  (i.e.,  their  logarithms  are  normally  distributed).  We  assume  test  data 
exists  from  which  we  can  estimate  the  mean  and  standard  deviations  for  each  input  dis¬ 
tribution  (for  this  sample  calculation  we  will  neglect  possible  correlations  between 
inputs).  Since  we  have  only  a  limited  amount  of  test  data  the  estimates  of  the  input 
means  and  standard  deviations  may  be  regarded  as  random  variables  distributed  about 
the  true,  but  unknown,  population  values.  A  method  of  treating  distributions  with 
uncertain  parameters  is  the  method  of  small  sample  statistics  which  we  will  get  to 
shortly. 

The  first  step  in  the  statistical  calculations  is  to  linearize 

m  =  in  (v  +  vV  +  4R  kT-1/2 )]  -  nn  E  T^Lj  (2.2-11) 

which  comes  from  Eqs  (2.2-1),  (2.2-6)  and  (2.2-8).  This  can  be  accomplished  by  using 

the  linear  terms  from  a  Taylor  series  expansion.  If  we  apply  the  small  sample  statis¬ 
tical  treatment  to  the  inputs  V,  R,  k  and  T3  we  obtain  the  following  truncated  Taylor 

series  about  the  point  (V",  R",  "k,  T3),  the  estimates  of  the  means, 

m  =  Bo  +  eiinV  A*nV  +  B*nk  Mnk  +  BznR  A*nR  +  B*n  t/*"  T3  {2'2'12) 


where  the  regression  coefficients  are 
Bq  =  constant 

V  _ 

Bs.nV  ‘ 

Bjink  “  BinR 
6tn  T3  =  -1 

We  are  now  ready  to  consider  small  sample  statistics  on  inputs  and  how  these 
can  be  propagated  through  our  algebraic  model  to  produce  small  sample  statistics  on  the 


'i1  +  4R  kr"1/2 


circuit  model.  An  example  of  small  sample  statistical  inputs  is  shown  in  Table  2.2-1. 
Of  the  eight  input  variables,  we  will  treat  only  four,  namely  Tg,  V,  k  and  R,  by  the 
small  sample  statistical  method.  Although  some  of  the  other  variables  may  be  subject 
to  uncertainty,  we  suppose  here  that  test  data  to  estimate  their  distributions  is  not 
available.  Treatment  of  such  variables  is  beyond  the  scope  of  this  report  and  will  be 
discussed  in  a  later  report. 

Table  2.2-1  summarizes  test  results  on  each  of  the  four  inputs.  The  table 
shows  that  the  transfer  function  Tg  was  estimated  by  measurements  on  10  cables  (see 
column  4)  to  obtain  10  experimental  values  for  Tg.  From  those  10  values  the  sample 
median  1/32  (column  2),  and  the  sample  standard  deviation  (0.54)  of  the  logarithm  of 
the  measured  values  (column  3)  were  calculated.  Column  4  shows  the  number  of  observa¬ 
tions,  g.j ,  available  for  estimating  the  mean  and  column  5  gives  the  degrees  of  freedom 
available  for  estimating  the  standard  deviation.  For  present  purposes  then,  small 
sample  statistics  is  limited  to  the  four  parameters  shown  in  Table  2.2-1.  Our  objec¬ 
tive  now  is  to  combine  the  input  small  sample  statistics  to  obtain  the  corresponding 
small  sample  statistics  for  the  circuit  (i.e.,  the  distribution  of  failure  probability 
or  damage  function). 
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To  calculate  the  mean  for  the  logarithm  of  the  margin  we  use  Eq.  (2.2-12), 
with  mean  values  of  the  logarithms  (the  median)  for  each  of  the  inputs: 

m  =  i  ei  Xj  (2.2-13) 

where  X.  =  the  mean  of  logarithms  the  i^  variable. 

To  calculate  the  variance  of  the  margin  we  use  a  result  from  Reference  (18), 
which  states 


S 


2 


(2.2-14) 


To  calculate  the  number  of  observations  for  our  estimate  of  m  in  Eq.  (2.2-13),  we  use 
another  result  from  Reference  (18) 


(2.2-15) 


where 

2 

Sx  =  the  variance  of  a  parameter  x 

2  _ 

S-  =  the  variance  of  an  estimate  of  the  mean,  x,  based  on  g^  observations. 

From  Eq.  (2.2-15)  we  can  write 


S2 

m  sm  ai 


(2.2-16) 


Equation  (2.2-16)  can  be  solved  for  gm,  the  number  of  observations  for  estimating  the 
mean  m. 

To  calculate  the  degrees  of  freedom  for  Sm,  we  will  use  an  approximation  from 
Reference  (19): 


S 


2  Sx 
s  "  2? 


(2.2-17) 
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where 


1 


p 

S  =  the  variance  for  the  estimate  of  the  standard  deviation  of  the  param- 
x  eter  x. 

From  Eq.  (2.2-17)  we  can  write 


2 

£  61  2T7 


(2.2-18) 


Equation  (2.2-18)  can  be  solved  for  f  ,  the  degrees  of  freedom  for  Sm. 

Equations  (2.2-13),  (2.2-14),  (2.2-15)  and  (2.2-18)  provide  the  small  sample 
statistics  for  a  circuit.  The  calculations  are  illustrated  in  the  last  two  columns 
of  Table  2.2-1.  Also,  Tables  2.2-2  through  2.2-5  provide  inputs  and  calculation 
results  for  four  additional  circuits. 

Damage  Functions 

Circuit  damage  functions  can  be  computed  from  the  data  in  Tables  2.2-1  through 
2.2-5.  For  convenience,  the  necessary  statistics  have  been  collected  in  Table  2.2-7. 

The  damage  function  is  the  distribution  of  external  field  which  causes  dam¬ 
age.  The  function  can  be  defined  for  a  single  circuit  or  for  a  system  composed  of 
many  circuits.  For  our  present  purpose  we  assume  the  circuit  damage  function  is  a 
log-normal  distribution.  Therefore,  to  define  the  damage  function,  we  must  calculate 
the  mean  and  standard  deviation.  The  mean  is  shown  in  column  2  of  Table  2.2-7  and  the 
logarithmic  standard  deviation  is  in  column  3.  Using  these  parameters,  damage  func¬ 
tions  for  each  of  the  five  circuits  are  plotted  in  Figure  2.2-2,  on  log-normal  probabil¬ 
ity  paper.  This  paper  has  the  property  that  log-normal  distributions  plot  as  straight 
lines.  The  four  damage  functions  are  for  50%  confidence  or  best  estimate  curves.  Other 
confidence  levels  for  the  first  circuit  damage  function  will  be  shown  later. 

Now  consider  how  the  damage  functions  for  these  circuits  might  be  combined  to 
obtain  the  "system"  damage  function.  To  be  done  properly,  considering  the  confidence 
factor,  this  is  best  done  by  the  SANE  Code  because  the  calculations  are  rather  exten¬ 
sive  to  be  accomplished  by  hand.  An  unconservative  approximation,  using  only  the  50% 
confidence  curves  in  Figure  2.2-2  can  be  done  by  hand.  To  do  this,  pick  a  damage  field 
strength.  Eg,  say  10®  V/M.  Read  horizontally  and  obtain  the  probability  1  -  Pp  at  the 
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Table  2.2-4.  SANE  II  Worksheet:  Circuit  Number  4770525 
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R 

1.0 

0.59 

7 

6 

0.04 

0.0006 

L°9e(ED) 

13.7 

0.32 

7.04 

6.04 

ed 

9. 13(10)5 
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Table  2.2-6.  Screening  Example  for  Sample  Problem 


Circuit 

L°ge  ed 

9 

f 

z  = 

Log  Ep/Er 

sz 

gz 

fz 

1 

15.1 

0.74 

6.27 

5.02 

1.38 

0.81 

6.38 

5.16 

2 

16.1 

0.59 

7.85 

6.36 

2.38 

0.68 

7.65 

6.37 

3 

17.0 

0.42 

6.60 

5.49 

3.34 

0.53 

6.75 

5.68 

4 

16.6 

0.77 

5.82 

4.25 

2.96 

0.83 

5.97 

4.45 

5 

13.7 

0.32 

7.04 

6.04 

REFERENCE 

Table 

2.2-7.  Summary  of  Small  Sample  Statistics 
for  Sample  Problem 

Circuit 

Loge  rD 

ld 

9 

f 

P 

vs  C 

Mod^l 

1 

15.1 

0.74 

6.27 

5.01 

5.75 

=  KP 

+ 

1.86 

Kc 

2 

16.1 

0.59 

7.85 

6.36 

8.82 

=  K 

P 

+ 

2.50 

Kc 

3 

17.0 

0.42 

6.60 

5.49 

14.76 

=  KP 

+ 

4.47 

Kc 

4 

16.6 

0.77 

5.82 

4.25 

7.61 

=  KP 

+ 

2.64 

K 

c 

5 

13.7 

0.32 

7.04 

6.04 

9.02 

•  kp 

+ 

2.62 

Kc 
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circuit  is  in  series.  Circuits  are  in  series  if  survival  of  all  is  required  for  sys¬ 
tem  survival.  Circuits  are  in  parallel  if  failure  of  all  is  required  for  system  fail¬ 
ure.  The  preceding  calculation  can  be  adapted  for  parallel  circuits. 

Such  calculations  have  been  done  for  the  circuit  damage  function  in  Fig¬ 
ure  2.2-2.  The  results  are  plotted  as  a  dashed  line  for  the  system  damage  function. 
Note  that  in  this  case  the  system  damage  function  differs  only  slightly  from  the  dam¬ 
age  function  for  weakest  circuit.  The  other  four  circuits  are  relatively  hard  and  it 
may  not  be  necessary  to  include  them  in  the  definition  of  the  damage  function.  This 
leads  to  the  concept  of  screening,  which  will  be  illustrated  later.  Screening  of  parts 
of  a  system  from  further  consideration  in  an  assessment  can  be  important  to  conserve 
resources,  particularly  with  systems  having  large  numbers  of  failure  modes. 

Probability  Versus  Confidence  Model 

We  will  now  consider  how  small  sample  statistics  can  be  used  for  making  state¬ 
ments  regarding  the  probability  and  confidence  that  can  be  associated  with  a  wide  vari¬ 
ety  of  events. 

The  salient  features  of  the  model  are  shown  in  Figure  2.2-3.  We  shall  assume 
that  we  are  dealing  with  a  parameter  that  is  normally  distributed.  We  have  available 
small  sample  statistics  in  the  format  previously  described  for  estimating  the  mean  and 
variance  of  the  parameters'  normal  distribution.  Furthermore,  there  is  a  certain  crit¬ 
ical  value  Xc  for  the  parameter  and  we  wish  to  determine  the  probability  and  confidence 
that  a  future  value  of  X  drawn  from  its  distribution  will  exceed  the  parameter  Xc>  The 
parameter  Xc  may  be  a  design  specification  or  a  criteria.  Alternatively,  our  parameter 
X  may  be  the  difference  between  a  strength  and  a  stress,  in  which  case  a  positive  value 
of  X  corresponds  to  survival,  and  Xc  will  equal  0.  Our  approach  is  quite  general  and 
other  interpretations  are  possible. 

We  wish  to  determine  the  separation  between  X  and  Xc  in  units  of  the  sample 
standard  deviation,  S,  which  is  required  to  assure  that  a  randomly  selected  X  from  the 
population  will  exceed  Xc  with  probability  P  and  confidence  C.  The  exact  solution  to 
this  problem  involves  the  noncentral  t  distribution.  An  approximate  solution  is  avail¬ 
able  (as  follows): 


A 


+  K_ 


+  A2/2f 


A 


X 


c 


(2.2-20) 
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PROBABILITY  AND  CONFIDENCE  MODELS 


where 


ASSUMPTION 


•  POPULATION  IS  NORMALLY  DISTRIBUTED 

•  MEAN  AND  VARIANCE  ESTIMATED  BY 
SMALL  SAMPLE  STATISTICS 


FORMULATION 


SOLUTION 


WHERE 


Figure  2.2-3.  Model  of  Probability  vs  Confidence 


P  =  Proportion  of  the  population  estimated  to  exceed  Xc  with  confidence  C. 
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To  illustrate  the  use  of  Eq.  (2.2-20),  let  us  consider  the  damage  function 
for  the  first  circuit.  The  50%  confidence  damage  function  for  the  circuit  was  shown 
in  Figure  2.2-2,  along  with  the  same  for  the  other  four  circuits.  This  is  replotted 
in  Figure  2.2-4  together  with  the  10  and  90%  bounds  for  the  damage  function  for  the 
first  circuit.  To  plot  the  bounds  we  select  a  value  for  the  damage  field  strength, 
say,  2(10)6.  The  logarithm  of  this  value  is  inserted  as  Xc  into  Eq.  (2.2-20).  The 
value  for  X  and  S  are  obtained  from  Table  2.2-1,  circuit  1,  columns  2  and  3.  From 
the  same  table  we  obtain  values  to  insert  in  Eq.  (2.2-20)  together  with  the  computed 
value  of  delta.  We  are  now  free  to  select  values  for  confidence,  i.e.,  Kc>  We  shall 

DAMAGE  FUNCTION-  CIRCUIT  NO.  1 


1  2  5  10  20  30  40  50  60  70  80  90  95  98  99 

PROBABILITY  OF  DAMAGE  PD.  % 


Figure  2.2-4.  Damage  Function  for  Circuit  One  at 
10,  50,  and  90%  Confidence  Levels 
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select  3  values,  -1.28  (10%  confidence),  0  (50%  confidence),  and  1.28  (90%  confidence). 
As  a  result,  we  obtain  three  values  for  Pn,  which  can  be  plotted  at  the  corresponding 
field  strength,  2(10)  .  Continuing  this  process  for  other  field  strengths  we  gener¬ 
ate  the  three  curves  shown  in  Figure  2.2-4.  As  was  already  said,  the  50%  curve  is 
identical  with  the  curve  that  was  previously  shown  in  Figure  2.2-2.  The  interpreta¬ 
tion  of  the  10  and  90%  confidence  envelopes  is  as  follows.  An  infinite  number  of 
straight  lines  can  be  drawn  within  these  two  curves  as  envelopes.  The  difference 
between  the  curves  is  that  the  mean  value  and  the  slope  or  standard  deviation  have 
different  values.  Each  of  the  lines  represents  a  possible  true  distribution  for  the 
damage  function  for  circuit  1.  Based  upon  the  small  sample  statistics  that  we  used, 
we  have  an  80%  confidence  (we  lost  10%  in  each  tail)  that  the  true  distribution  is  one 
of  those  contained  within  the  envelope. 

As  another  example  of  the  application  of  Eq.  (2.2-20),  let  us  consider  the 
probability  and  confidence  that  the  strength  of  each  of  the  circuits  exceeds  a  hypo¬ 
thetical  design  specification,  say  a  field  strength  of  5(10)^  volts  per  meter.  In 
this  case  for  Xc  we  use  the  criteria  value,  5 ( 10 )4 .  Then  from  Table  2.2-1  we  obtain 
the  mean,  standard  deviation,  g  and  f  values  for  each  circuit  which  are  inserted  into 
Eq.  (2.2-20).  This  defines  all  of  the  parameters  in  (2.2-20)  except  Kp  and  K,.  The 
results  are  shown  as  the  final  column  in  Table  2.2-1.  We  then  proceed  to  plot  the 
relations  in  Table  2.2-1  on  Figure  2.2-5.  We  find,  however,  that  only  the  first  cir¬ 
cuit  in  on  scale,  the  other  four  circuits  have  a  probability  and  confidence  both 
exceeding  99%  and  hence,  do  not  appear  on  the  plot.  The  single  curve  shown  in  Fig¬ 
ure  2.2-5  is  for  circuit  1. 

Screening 

Many  systems  contain  a  large  number  of  possible  failure  modes,  ranging  in  the 
hundreds  up  to  the  thousands.  It  becomes  important,  therefore,  to  be  able  to  quickly 
identify  the  controlling  failure  modes.  This  is  useful  in  design  trade  studies  of  new 
systems,  and  in  a  hardness  assessment  or  upgrade  of  existing  systems.  Consider  now 
how  the  screening  can  be  accomplished  using  the  small  sample  statistical  approach. 

The  first  four  columns  of  Table  2.2-6  contain  small  sample  statistics  for  the 
five  circuits,  reproduced  from  Table  2.2-4.  The  last  four  columns  of  Table  2.2-6 
contain  small  sample  statistics  for  the  difference  z  between  the  first  four  circuits 
and  the  fifth,  which  is  the  weakest  (has  the  lowest  mean).  Call  the  damage  voltage  for 
the  fifth  circuit  Er,  and  let  Z  be  defined  as  a  random  variable  which  is  the  logarithm 
of  Eq  for  one  of  the  four  circuits,  minus  the  log  of  Er.  We  want  to  determine  the 


L  , 
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9 


PROBABILITY  vs  CONFIDENCE  FOR  CIRCUIT  No.l 


PROBABILITY  P,  % 


Figure  2.2-5.  Probability  vs  Confidence  Model  for  First  Circuit 

of  Sample  Problem 

probability  and  confidence  that  Z  exceeds  0.  If,  for  a  given  circuit,  this  probability 
is  high  with  a  high  confidence,  then  that  circuit  could  be  dropped  from  the  damage 
function  for  the  system  without  a  significant  effect.  Note  that  the  new  function  is 
already  linear,  and  that  we  have  the  small  sample  statistics  for  the  input,  i.e.,  for 
each  circuit.  Thus,  we  can  calculate  the  small  sample  statistics  for  Z  by  the  methods 
already  described.  This  has  been  done  with  the  results  shown  in  the  last  four  columns 


41 


of  Table  2.2-6.  The  next  step  is  to  insert  the  small  sample  statistics  for  each  cir¬ 
cuit  into  Eq.  (2.2-20),  obtaining  a  relationship  between  Kp  and  Kc>  The  results  of 
this  calculation  are  shown  in  Figure  2.2-6.  The  final  point  is  to  select  some  point, 
a  probability  and  confidence,  such  that  if  the  curve  for  any  circuit  falls  above  and 
to  the  right  of  that  point  we  will  screen  the  circuit.  In  general,  one  might  select 
such  a  point  based  upon  a  consideration  of  relative  costs  for  more  detailed  analysis 
and  testing  of  a  given  failure  mode,  compared  to  the  cost  of  making  a  screening  error. 
Bearing  in  mind  the  very  slight  effect  that  the  first  circuit  had  on  the  system  damage 
function  in  Figure  2.2-2,  we  suggest  tentatively  that  the  80-80  point  be  selected. 

This  point  has  been  shown  in  Figure  2.2-6.  Using  this  criteria,  we  would  screen  out 
all  the  variables  except  the  fifth. 
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CONFIDENCE  C. 


SCREENING  RESULTS 


Figure  2.2-6.  Probability  vs  Confidence  for  Screening 
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SECTION  3 


ASSESSMENT  PROCEDURES  FOR  NUCLEAR  WEAPONS  EFFECTS 

The  tasks  for  the  preliminary  assessment  of  the  AVCS  for  each  NWE  consist  of 
the  following: 

•  gathering  data  for  all  failure  modes 

•  classifying  data  into  appropriate  categories 

•  applying  appropriate  model  to  obtain  damage  function  and/or  probability 
of  survival  for  a  given  failure  mode. 

•  documenting  the  results  for  each  failure  mode 

•  statistically  combining  the  individual  failure  mode  damage  functions 
to  yield  a  system  level  damage  function 

This  section  provides  a  roadmap  for  accomplishing  all  of  these  tasks  (except  the  last, 
which  was  discussed  in  Section  2).  Each  NWE  is  discussed  below  in  terms  of 

•  history  of  the  FLTSATCOM  hardening  effort,  and  data  obtained  in  the 
course  of  that  effort 

•  formulas  and  algorithms  for  calculating  damage  functions 

•  assumptions,  limitations  and  uncertainties  in  the  models 

•  classification  of  data 

•  preparation  of  the  failure  mode  data  sheet 
3.1  SGEMP  BURNOUT. 

History  of  FLTSATCOM  Hardening  Effort  for  SGEMP  Burnout 

The  requirement  for  hardening  in  the  program  was  that  no  catastrophic  failure 
of  any  part  (burnout)  at  a  particular  X-ray  threat  level  (fluence)  was  permitted.  The 
basic  hardening  effort  for  SGEMP  burnout  was  the  following: 

•  use  of  individually  shielded  cabling  (braid  or  semi-rigid)  for  box-to- 
box  interconnections  in  order  to  make  direct  injection  cable  response 
the  dominant  SGEMP  coupling  mechanism. 

t  use  EM  and  X-ray  shielded  boxes  (components),  but  the  overall  satellite 
structure  was  not  designed  to  be  RF-tight. 

•  painting  the  inside  of  FLTSATCOM  bays  with  cat-a-lac  paint,  a  low  Z 
material,  to  minimize  cavity  field  coupling. 
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•  use  of  terminal  protection,  mostly  in  the  form  of  zener  diodes  or 
capacitive  filters,  to  attenuate  the  SGEMP  induced  signal. 

•  use  low  response  cabling  (semi-rigid)  when  terminal  protection  was  not 
feasible. 

•  hardness  demonstration  by  analysis  only. 

The  only  testing  that  was  done  for  SGEMP  was: 

•  direct  drive  X-ray  tests  of  cabling  (individual  wires,  not  the  entire 
harness) 

•  single  shot  current  injection  tests  of  engineering  model  circuits  to 
verify  that  terminal  protection  was  working  (i.e.,  shunting  the 
currents) 

The  analysis  that  was  done  calculated  the  SGEMP  current  from  direct  injection  expected 
at  the  pin,  assumed  that  all  of  the  energy  would  reach  the  most  vulnerable  part,  and 
compared  the  peak  power  generated  by  the  threat  with  the  threshold  of  the  vulnerable 
device,  which  was  exclusively  taken  to  be  a  semiconductor  device.  A  safety  margin 
was  calculated  and  terminal  protection  was  sized  accordingly.  Rough  estimates  of 
cavity-field  coupling  and  replacement  current  coupling  were  also  made. 

Probably  the  most  uncertain  aspect  of  the  hardening  effort  was  the  cavity 
field  coupling.  The  issues  fiere  centered  around  estimating  the  induced  shield  cur¬ 
rents  on  the  one  hand,  and  estimating  the  shield-to-core  transfer  impedance  on  the 
other.  Since  most  of  the  cabling  consisted  of  single-shield  hookup  wire  with  rela¬ 
tively  large  leakage  (85%  braid  coverage),  and  further,  since  no  transfer  impedance 
measurements  were  made  at  the  time,  the  cavity  field  coupling  estimates  are  suspect. 

Since  that  time  the  original  hardening  program  data  has  been  supplemented  by 

•  models  and  test  results  for  direct  injection  response  of  cabling 

However,  the  uncertainties  in  the  cavity-field  coupling  to  cables  still  remain.  In 
addition,  it  was  assumed  that  synergistic  effects  such  as  ionization  in  the  semicon¬ 
ductors  would  not  interfere  with  the  terminal  protection. 

Finally,  some  rough  calculations  were  made  in  order  to  verify  that  SGEMP 
inside  boxes  (box  IEMP)  was  negligible. 

To  summarize,  the  data  available  from  the  original  hardening  program  is  prob¬ 
ably  adequate  for  assessing  the  SGEMP  direct  injection  response  of  the  AVCS,  at  least 
at  the  criterion  environment  for  which  the  satellite  was  designed.  For  other  SGEMP 
mechanisms,  the  data  is  questionable. 
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Failure  Mode  Identification 

SGEMP  energy  is  coupled  into  the  AVCS  through  the  cabling  connected  to  its 
components.  Accordingly,  the  box  interface  pin  is  used  to  identify  the  SGEMP  failure 
mode,  even  though  the  actual  failure  is  of  a  single  vulnerable  part  in  the  circuit. 

In  the  preliminary  assessment  only  direct  injection  response  of  cabling  is  considered. 
Estimates  of  cavity  field  coupling  and  box  IEMP  coupling  are  given  at  the  end  of  this 
section  in  order  to  justify  treating  only  direct  injection  response  in  the  assessment. 

Damage  Functions  for  Direct  Injection  SGEMP  Coupling 

The  effect  of  X-rays  on  shielded  cabling  may  be  reduced  to  the  simple  equiva¬ 
lent  circuit  shown  in  Figure  3.1-1  (see  Ref  8).  The  peak  value  of  the  Norton  equivalent 
IN  is  given  by 


K  = 


D  <  2vt 

o 

D  >  2vt 

o 


(3.1-1) 


where  K  is  the  normalized  cable  source  term  (C-cm/cal),  <t>  is  the  X-ray  fluence  (cal/ 
2  no  r  in 

cm  ),  tQ  is  the  radiation  FWHM  pulse  width,  v  ~  2/3c,  and  D  is  the  cable  length.  The 
Norton  impedance  is  given  by 


SGEMP  EXCITATION 


NORTON  EQUIVALENT 


Figure  3.1-1.  Definition  of  an  SGEMP  Pin 
Specification  in  Terms  of  a 
Norton  Equivalent  Circuit 
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(3.1-2) 


For  purposes  of  this  preliminary  assessment  we  ignore  the  attenuation  of  the  X-rays 
through  the  satellite  skin,  which  is  reasonable  for  a  hot  X-ray  spectrum.  Accord¬ 
ingly,  the  normalized  source  term  Knorm  which  in  principle  depends  on  the  X-ray 
spectra,  will  be  evaluated  for  an  energetic  X-ray  spectrum. 

The  circuit  inside  the  box  is  reduced  to  its  most  vulnerable  semiconductor 
device  on  the  one  hand,  and  its  terminal  protection  on  the  other,  and  attenuation 
between  protection  and  part  is  ignored.  This  is  shown  schematically  in  Figure  3.1-2. 


■N 


|  TERMINAL  j 
PROTECTION 

I _ I 


MOST 

VULNERABLE 
,  SEMICONDUCTOR 
I  DEVICE 


Figure  3.1-2.  Equivalent  Circuit  for  Estimating  Susceptibility 
of  Circuit  to  SGEMP  Burnout 

It  is  assumed  that  the  most  vulnerable  device,  if  it  fails,  will  fail  at  the 
junction  closest  to  the  pin  in  question.  The  effects  of  being  connected  to  multiple 
pins  which  are  being  driven  simultaneously  are  ignored.  It  is  further  assumed  that  the 
SGEMP  signal  drives  both  the  terminal  protection  junction  (if  it  is  a  zener)  and  the 
vulnerable  device  into  the  active  region  where  they  are  both  modeled  as  bulk  resistance 
in  series  with  a  battery  whose  value  is  the  reverse  breakdown  voltage.  If  we  allow 
1^  to  represent  the  reduced  current  arriving  at  the  vulnerable  device  due  to  the  atten¬ 
uation  of  IN  by  the  terminal  protection,  where 

ID=a|IN|  (3.1-3) 


then  the  power  delivered  to  the  junction  is 


P  = 


lD  rD  +  IDVD 


(3.1-4) 
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where  rD  is  the  bulk  resistance  of  the  device,  and  VQ  is  the  device  breakdown  voltage. 
We  will  compare  P  with  the  Wunsch-Bell  damage  constant  in  the  form 


P  =  At-0 

^damage  *Leff 

where  tg.^,  the  effective  pulse  width  of  the  signal 


(3.1.5) 

delivered  by  the  cable,  is 


*eff  “2  (to  +  “>  ,3-'-6) 

and  A  and  B  are  empirical  constants  obtained  from  pulse-power  burnout  measurements.6) 
By  equating  P  and  Pdamage»  and  noting  that  IQ  is  proportional  to  free  field  fluence  <J>, 
one  solves  for  the  fluence-to-fail  ^a ^ -j » 


-  VfV  *  4AW8  rD 
^fail  2a[rN/^]rD 

where  [IN/<t>]  is  the  normalized  Norton  equivalent  driver  (current/fluence).  Formulas 
for  a  for  the  different  possible  protection  schemes  are  shown  in  Table  3.1-1.  Since  the 
parameters  that  comprise  <(>f  ^  have  a  statistical  distribution  then  so  will  <t>fal--| »  and, 
as  discussed  in  Section  2,  SANE  2  will  generate  the  damage  function  (i.e.,  the  distribu¬ 
tion)  for  <J>fal-r 
Classification  of  Data 

For  purposes  of  gathering  data  for  SGEMP  burnout  in  the  most  efficient  manner 
the  parameters  comprising  the  damage  function  are  grouped  into  four  categories,  namely, 

I :  threat 
II:  cable 

III:  terminal  protection 
IV:  vulnerable  device 

The  parameters  which  are  associated  with  these  categories  are  shown  in  Table  3.1-2. 

Cable  source  terms  and  characteristic  impedance  are  indicated  in  Table  3.1-3. 

Preparation  of  the  SGEMP  Burnout  Failure  Mode  Data  Sheet 

The  steps  for  filling  in  the  failure  mode  data  sheet  are  illustrated  in 
Table  3.1-4  where  an  example  is  given.  The  steps  are  as  follows: 

1)  By  examining  the  FSC  Electrical  Schematic  Data  book,  identify  the 

•  box  (unit)  number 

•  connector  number 

•  pin  number 
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Table  3.1-1.  Attenuation  of  1^  by  Terminal  Protection 


Terminal  Protection 


Zener  Diode 


Capacitor  Filter 


Protection  Parameters 

VD  =  zener  breakdown  V 
BD 

rg  =  zener  bulk  R 
C  =  capacitance 


1^  Attenuation  Factor 

a 


a  = 


r 

r 


B 

D 


1  +  J-  +  4£ 


Series  Resistor 

Back-to-Back  Zeners 

Zener  +  Resistor 


R  =  resistance 

V„  =  zener  breakdown  V 
BD 

rg  =  zener  bulk  R 

VD  =  zener  breakdown  V 
B0 

r„  =  zener  bulk 
resistance 

R  =  resistance 


a  '  R  +  rD  t 


rD+  R 


•  circuit  protection  class 

•  vulnerable  device:  If  several  devices  are  candidates,  use 
Table  3.1-5,  which  reports  the  power  to  fail  at  1  usee 

2)  From  the  System  Interface  Document  identify  the  cable  type  connecting 
the  pin 

3)  From  the  FSC  Wire  List  identify  the  cable  length. 

Pages  of  the  FSC  Electrical  Schematic  Data  Book, 16 ^  System  Interface  document,17^  and 
Wire  length  table*^  are  shown  in  Figures  3.1-3,  3.1-4,  and  3.1-5  respectively.  These 
are  used  in  constructing  the  example  of  the  failure  mode  data  sheet  shown  in 
Table  3.1-4. 
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Table  3.1-2.  SGEMP  Parameter  Categories 


Category 

Parameters 

Source  of  Information 

I: 

threat 

pulsewidth  t 

0 

arbitrary 

spectrum 

arbitrary 

II: 

cable 

length  D 

FSC  wire  length  table. 

Ref  15 

direct  injection  source 
term 

Table  3.1-3 

characteristic 
impedance  ZQ 

Table  3.1-3 

III: 

terminal  protection 

a)  zener:  breakdown 
voltage  and  bulk 
resistance 

Ref  6 

b)  capacitor  filter:  C 

FSC  Electrical  Schematic, 
Data  Book, Ref  16 

c)  series  resistor:  R 

FSC  Electrical  Schematic 
Data  Book,  Ref  16 

d)  back-to-back  zeners 

same  as  a) 

e)  series  resistor  + 
zener 

same  as  a)  and  c) 

IV: 

susceptible  device 

breakdown  voltage, bulk 
resistance, and  damage 
constant 

Ref  6 
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Table  3.1-3.  FLTSATCOM  Cables 


FSC 

Cable 

Type 

Specification 

Number 

Characteristic 

Impedance 

(n) 

1  SI  6 

3A002-008 

3.4 

1  S20 

3A002-006 

11.2 

1  S24 

3A002-004 

18.8 

1S26 

3A002-003 

26 

1  S28 

3A002-002 

33 

CX28 

3A021-001 

50 

S141 

3A024-002 

50 

Cable  Source  Term 
at  50  keV 

Knorm((C  ~  cm)/ca1  > 
-1.76  x  10‘8 
-7.93  x  10‘9 
-4.75  x  10"9 
-3.49  x  10"9 
-2.76  x  10-9 
-2.88  x  10“9 
7.98  x  10J1 
-3.07  x  10"8 


SR90 


3A024-005 


50 


Table  3.1-4.  Failure  Mode  Data  Sheet  for  SGEMP  Burnout 


COMMAND  BOARD 
PART  OF  A  4 A  3 


Figure  3.1-3.  FLTSATCOM  Circuit 
Schematic:  Example 


Figure  3.1-4.  FLTSATCOM  System  Interface  Document:  Example 


•WIRE  LENGTH 

table* 

f  R  0 1  UNIT 

TO  UNIT 

length 

2u  1 

124 

7.7 

2J  1 

1  5o 

5.  a 

2w  1 

2  (.  1 

1.0 

2u  l 

211 

1 .  U 

2  u  1 

202 

2.6 

2  j  1 

20? 

13.7 

2U  1 

211 

13. 0 

20  1 

212 

13.3 

2  ;  1 

213 

13. a 

2  j  1 

2m 

11.2 

2d  1 

217 

14.3 

2  J 1 

2  in 

a .  o 

2  j  1 

21'* 

16.2 

2  J  1 

220 

11.6 

2  J  1 

221 

10.3 

Figure  3.1-5.  FITSATCOM  Wire  Harness  Lengths:  Example 
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F”. 


Estimate  of  Cavity  Field  Coupling 

The  hardening  effort  on  FLTSATCOM  to  reduce  the  effects  of  cavity  field 
excitation  on  cables  was  to  coat  the  interior  of  the  satellite  with  cat-a-lac  paint, 
a  low-Z  material,  in  order  to  minimize  electron  emission,  and  to  employ  shielded 
cabling.  No  specific  criteria  for  shielding  effectiveness,  for  the  purpose  of  making 
cavity  field  coupling  less  than  direct  injection  response,  were  imposed. 

The  detailed  physical  models  which  might  be  used  for  coupling  calculations 
have  not  been  developed  to  the  point  of  supplying  validated  engineering  models  for 
estimating  coupling  to  cables.  Accordingly  the  formalism  developed  here,  which  is 
based  on  Ref  12,  has  substantial  uncertainties.  We  assume,  for  example,  that  a  quasi¬ 
static  picture  describes  E-  and  H-field  coupling  and  therefore  that  E  and  H  fields  are 
decoupled,  even  though  the  validity  of  this  assumption  has  not  been  demonstrated. 

Electric  Field  Coupling  to  Shields 

The  effect  of  electron  emission  from  a  surface  is  to  produce  a  dipole  layer 
of  charge  whose  static  E-field  couples  to  system  cabling.  The  current/length 
induced  on  a  shield  by  E-field  coupling  (see  Figure  3.1-6)  is  given  by 


K 


E 


=  C' 


dV 

dt 


(3.1-7) 


dV 

di 


KE0(,-4rt->'  D<2c,o 
o 

ei  ,  D>2ct 

o  o 


Figure  3.1-6.  Electric  Field  Coupling  Model 
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where  C1  is  the  capacitance/length  of  wire  of  diameter  a  distance  ji  above 
plane 


—  is  the  time  derivative  of  voltage  at  the  cable 


dV  .  Elh 
dt  "  Tp 

h  is  the  height  of  cable  above  ground  plane  (m) 

is  the  characteristic  E-field  from  electron  emission  (V/m) 

El  ■  9  *  10'5  [E  v  ri]1/3  5 


E  =  average  electron  energy  (keV) 

Y  =  electron  yield  (electrons/cal )  from  cat-a-lac  for  20  keV 
photons 

Y  =  4.5  x  1010 


2  2  6 

Rj  =  flux  rise  rate  (cal/cm  /sec  )  =  -£ 

to 

2 

<f>  =  fluence  (cal/cm  ) 

t  =  FWHM  of  assumed  triangular  X-ray  pulse  (sec) 
Tp  =  time  for  limiting  to  occur  (sec) 


0.7 


v/F 


Y  R, 


1/3 


a  ground 

(3.1-8) 

(3.1-9) 

(3.1.10) 

(3.1-11) 

(3.1-12) 

(3.1-13) 

(3.1-14) 

(3.1-15) 

(3.1-16) 
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iip.au  mi 


■ 


3 


The  net  shield  current  induced  by  the  electric  field  coupling  is  obtained  from  by 


(3.1-17) 


Magnetic  Field  Coupling  to  Shields 

For  the  calculation  of  the  magnetic  field  coupling  the  loop  formed  by  the 
cable  and  the  panel  wall  to  which  it  is  grounded  is  shown  in  Figure  3.1-7.  A  cylin¬ 
drical  column  of  current  of  radius  rQ  produces  a  magnetic  field  B  of  magnitude 


B  = 


J,r 

O  1  0 
2 


(3.1-18) 


Figure  3.1-7.  Magnetic  Field  Coupling 


Here  Jj  is  the  net  space  charge  limited  current  density  accounting  for  the  net  current 
emitted  from  the  satellite  walls. 


(t)-1-1  x  10’15  t/Fv2 


1/3 


(3.1-19) 
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m 


V 


rQ  will  be  taken  as  half  the  maximum  cavity  dimension,  namely  rQ  =  lm.  The  ampli¬ 
tude  of  the  induced  shield  current  is 


I 


B 


Bh  .  , 

U  ’  L 


-1  2h 
d 


(3.1-20) 


where  h  is  the  height  of  the  cable  above  the  ground  plane,  and  d  is  the  wire  diameter. 
For  FLTSATCOM  the  assume  values  of  h^  and  <d  are 

h  =  5  cm 
d  =  0.1  cm 


L'  in  this  instance  represents  the  inductance/length  of  the  transmission  line  consist¬ 
ing  of  the  shield  of  diameter  c[  a  distance  above  a  ground  plane. 

Direct  Drive  of  Cable  Shields 

The  induced  current/length  for  charge  deposited  directly  on  the  shield  of 
cables  having  been  emitted  from  the  wall  directly  beneath  it  is  given  by 


So  ■  V 


(3.1-21) 


where  d,  the  cable  diameter  =  0.1  cm,  and  was  given  in  Eq.  (3.1-19)  above.  The 
net  current  on  the  cable  is  estimated  to  be 


DD 


'W 


D 

4ct  o'  ’ 

0  >  2ct 

( 

cto  * 

D  <  2ct( 

(3.1-22) 


Shield-to-Core  Coupling 

A  rough  estimate  of  the  induced  core  current  I  induced  by  a  shield  current 
^shield  actin9  through  a  transfer  impedance  of  magnitude  Zy  and  the  dominant  frequen¬ 
cies  of  excitation  is  given  by*^ 


ZjD 

!c  =  Shield  2ZQ 


(3.1-23) 


Li 
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This  expression  is  valid  where  the  core  is  terminated  in  its  characteristic  impedance 
ZQ  at  both  ends,  and  the  cable  length  D  is  short  with  respect  to  the  dominant  wave¬ 
lengths  of  the  pulse.  A  pulse  of  width  20  ns  corresponds  to  a  distance  of  approxi¬ 
mately  6m,  while  the  average  length  of  cable  in  FLTSATCOM  is  D  <  2m,  suggesting  that 
the  above  formula  is  reasonable.  The  AVCS  employs  braided  hookup  wire  with 
ZQ  »  lOfi  and  Zj  ~  0.2  Q/m  at  20  MHz,  based  on  measurements  from  Ref  14  on  FLTSATCOM 
braided  20  and  28  gauge  cable. 

Using  these  values  in  the  above  formula 


I 


c 


=  0.02  I 


shield 


(3.1-24) 


Comparison  of  Cavity  Field  Coupling  Estimates  with  Direct  Injection 

The  formulas  derived  above  are  used  to  estimate  the  core  wire  current  from  the 

2 

various  SGEMP  coupling  mechanisms  for  an  X-ray  fluence  of  1  cal/cm  ,  and  pulse  width 
t  =  20  ns.  The  cable's  length  is  2m,  its  diameter  is  0.1  cm  and  it  is  located  5  cm 
above  the  ground  plane  which  is  coated  with  carbon  for  purposes  of  calculating  electron 
emission.  The  core  current  from  cavity  field  coupling  is  taken  to  0.1  Ishield*  which 
is  more  generous  than  0.02  ^shield  derived  in  Eq.  (3.1-24).  The  maximum  cavity  dimen¬ 
sion  is  100  cm. 

The  following  comparisons  are  obtained 


SGEMP  Mechanism  Core  Current  (A) 

direct  injection  180 

E-field  5 

magnetic  field  *** 

direct  charge  deposition 

Accordingly,  cavity  field  coupling  will  not  be  included  in  the  AVCS  assessment. 

Damage  Functions  for  Box  IEMP 

A  direct  coupling  mechanism  for  SGEMP  excitation  within  a  box  occurs  from 
electrons  emitted  from  the  box  walls  and  circuit  boards,  as  shown  in  Figure  3.1-8. 

For  FLTSATCOM  the  AVCS  boxes  are  coated  with  2-3  mils  of  cat-a-lac  paint  to  reduce 
electron  emission,  and  the  fiberglass  circuit  boards  are  coated  with  30  mils  of  poly¬ 
urethane.  Both  of  these  materials  are  predominantly  carbon,  and  will  be  treated  as 
such  for  the  purposes  of  calculating  the  net  electron  emission  J^-p  Assuming  that 
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CIRCUIT  TRACES 


VULNERABLE 

DEVICE 

PARAMETERS: 
rD,  VD,  DAMAGE 
CONSTANT 


Ip  (A)  =  0. 16 F  (cal/cm^) 


Figure  3.1-8.  Box  IEMP 

all  the  electrons  traveling  within  a  distance  w  on  either  side  of  a  circuit  board  con¬ 
ductor  trace  contribute  their  entire  amount  of  charge  to  the  replacement  current  along 
that  trace,  the  maximum  contribution  to  the  Norton  Equivalent  IN  in  Figure  3.1-1  is 
estimated  to  be 


=  ^NET  (3.1-25) 

where  w  could  be  the  distance  between  two  traces  on  the  same  board,  or  the  separation 
between  two  boards,  and  L  is  the  maximum  box  dimension.  For  this  assessment  w  will  be 
taken  as  2  cm  and  L  =  20  cm.  The  net  peak  emission  current  density  for  carbon  at 
20  keV  for  a  10  ns  pulse  is 


JNET  (~^t)  s  0,16  ^  (~ t)  (3.1-26) 

'em'  'em/ 

based  on  a  net  nonspace-charge  limited  emission  yield  from  Dell  in  and  MacCallum 
11)  -5 

tables  of  2  x  10  electron/photon.  This  represerts  the  emission  after  the  free 
field  fluence  <j>  was  attenuated  by  60  mil  of  aluminum  satellite  skin  thickness  as  well 
as  box  thickness.  Inserting  the  values  of  L  and  w  mentioned  above 

IN  (Amp)  =  6*  (^4)  (3.1-27) 

\cm  / 
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This  compares  to  180$  amp  for  direct  injection  using  the  earlier  example.  However, 
note  that  while  the  excitation  of  a  circuit  trace  is  equivalent  to  exciting  a  pin  for 
the  coupling  to  cables  outside  the  box,  in  this  case  there  is  no  intervening  protec¬ 
tion  circuitry  between  the  part  and  the  pin.  For  this  reason  Box  IEMP  is  included  in 
the  assessment.  For  purposes  of  calculating  susceptibility  (fluence  to  fail,  $pAIL) 
of  the  most  vulnerable  part,  1^  =  Ig  in  Eq.  (3.1-3)  and  Table  3.1-1,  and  =  =». 

3.2  TREE  BURNOUT. 

History  of  FLTSATCOM  Hardening  Effort  for  TREE  Burnout 

The  hardening  effort  concentrated  chiefly  around  placing  current  limiting 
resistance  in  the  leads  of  all  semiconductor  devices.  The  magnitude  of  the  resistance 
was  at  least  one  ohm  per  volt  of  power  supply  to  the  device  in  question.  In  some  RF 
circuits  inductance  was  used  in  place  of  resistance. 

The  analysis  used  to  verify  that  the  current  limiting  was  sufficient  was 
simply  to  compare  the  maximum  power  that  could  be  transferred  to  the  device  in  a 

p 

matched  load  configuration,  V  /(4R),  where  V  is  the  supply  voltage  and  R  is  the 

c*  c.  Cl 

current  limiting,  with  the  maximum  continuous  power  rating  Pc  supplied  by  the  vendor 
for  the  device  (see  Figure  3.2-1).  Since  Pc  is  most  likely  a  "3a"  lower  limit  on  a 
distribution  of  power  for  failure,  the  FLTSATCOM  hardening  was  probably  very 
conservative. 


A  V  V 

T  cc  PC  =  CONTINUOUS  POWER  RATING  * 

<  R  Vcc=  POWER  SUPPLY  VOLTAGE 

R  =  CURRENT  LIMITING  RESISTANCE 

DEVICE 


Figure  3.2-1.  FLTSATCOM  Analysis  for  Photocurrent  Burnout 


The  test  verification  effort  centered  about  100%  lot  sampling  of  parts 
(5  parts/lot,  300-400  lots)  in  the  TRW  Vulcan  FXR  at  dose  rates  of  10X  the  criterion 
environment.  The  criterion  environment  in  this  case  was  derived  from  the  incident 
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X-ray  flux  and  its  expected  attenuation  into  the  boxes.  This  was  probably  both  rea¬ 
sonable  and  conservative  since  the  hardening  measures  themselves  are  independent  of 
dose  rate.  On  the  other  hand  we  observe  that  this  limited  amount  of  testing  cannot 
give  significant  statistical  confidence  in  hardness. 

Failure  Mode  Identification 

The  failure  mode  for  TREE  burnout  occurs  at  the  part  level.  The  failures,  if 
they  occur,  are  taken  to  be  functionally  independent,  i.e.,  loading  effects  are  ignored, 
and  parts  are  treated  statistically  "in  series,"  i.e.,  failure  of  any  part  fails  the 
system. 

Probability  of  Part  Survivability 

Consider  the  radiation  response  of  a  diode,  as  shown  in  Figure  3.2-2.  If 
the  power  supply  biases  the  diode  in  the  forward  direction,  then  the  effect  of  the 


I _ 


Figure  3.2-2.  Equivalent  Circuit  Model  of  the 
Radiation  Response  of  a  Diode 


photo-current  generator  will  be  to  drive  more  current  through  the  ideal  diode  thus 
increasing  VQ  slightly  to  VQ  +  AVp  and  therefore  reducing  IR  to  (Vcc  -  VQ  -  aVq)/R. 

The  net  power  dropped  across  the  device,  IR  VD,  is  therefore  only  slightly  affected  by 
the  radiation.  In  the  reverse  bias  situation  where  the  radiation  is  insufficient  to 
turn  on  the  ideal  diode,  the  transient  photocurrent  I  will  buck  the  dc  current 
V^/R,  making  IR  =  V^/R  a  worst  case  estimate  of  the  current  through  R,  »  Vc(., 
and  V^c/R  a  worst  case  estimate  of  the  power.  This  is  obviously  too  high  since 
4/(4R)  is  the  maximum  power  transfer.  Finally  if  I  is  large  enough  to  turn 
on  the  device,  it  is  possible  to  get  negative  power  in  the  device 


♦ 
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Ir  VD  a  -  Ipp  VQ  (solar  cell  effect).  In  any  case,  it  would  seem  that  a  worst  case 

estimate  of  power  drops  across  junctions  in  semiconductor  devices  is  4/(4R),  a 

result  which  is  independent  of  dose  rate.  This  is  something  of  an  idealization  in 

some  cases  since  the  "R"  in  an  integrated  circuit,  for  example,  may  be  reduced  by  the 

radiation  environment,  giving  rise  to  an  explicit  dose  rate  dependence.  The  amount  of 

uncertainty  from  this  effect  is  unclear. 

Rather  than  compare  the  power  drop  with  P  ,  the  continuous  power  rating,  which 

c  _  n 

is  too  conservative  we  will  use  the  Wunsch-Bell  damage  constant  P^g  =  At  .  Since  P^g 
has  a  known  statistical  distribution,  the  percent  of  the  distribution  below  V^/(4R)  is 
the  part's  probability  of  failure. 

Classification  of  Data 

The  two  categories  of  data  for  TREE  burnout  are 
I:  semiconductor  type 

II:  current  limiting  configuration  (usually  Vrr  and  resistance  in  leads 
of  device) 

While  there  are  hundreds  of  semiconductor  devices  in  the  AVCS  subsystem  there 
are  only  a  relatively  few  number  of  distinct  part  types.  The  parameters  associated 
with  these  categories  are  shown  in  Table  3.2-1. 


Preparation  of  the  TREE  Burnout  Failure  Mode  Data  Sheet 

The  steps  for  filling  in  the  failure  mode  data  sheet  are  illustrated  in 

Table  3.2-2  where  an  example  is  given.  The  steps  are  as  follows:  By  examining  the 
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FSC  Electrical  Schematic  Data  Book  ,  identify  the 

•  box  (unit)  number 

•  connector  number 

t  component  (i.e.,  semiconductor  part) 

•  current  limiting  in  each  of  the  leads 

Table  3.2-1.  TREE  Burnout  Parameter  Categories 


Category 

Parameters 

Source  of 

Information 

1  I:  semiconductor  type 

Wunsch-Bell  damage  constants 

Ref  6 

:  II:  current  limiting 

V^g,  lead  resistance 

Electrical 

Schematic 

|  configuration 

Data  Book 

An  example  of  an  electrical  schematic  has  already  been  given  in  Figure  3.1-4. 

3.3  PERMANENT  DEGRADATION 

History  of  FLTSATCOM  Hardening  Effort  for  Permanent  Degradation 

FLTSATCOM  was  hardened  against  the  permanent  degradation  effects  of  criteria 
total  doses  from  neutrons,  y,  and  fission  electrons,  with  the  electron  dose  represent¬ 
ing  the  most  significant  threat  environment.  The  effects  of  short  term  annealing  on 
circuit  operation  were  not  considered  specifically  since  this  could  be  considered  in 
the  context  of  functional  upset  hardening  via  fault  tolerant  design.  The  obvious 
hardening  approach  was  to  use  radiation  insensitive  parts  on  the  one  hand,  and  cir¬ 
cuitry  insensitive  to  parameter  degradation  on  the  other. 

In  order  to  accomplish  the  hardening,  derating  values  were  obtained  for 
individual  part  degradation  by  irradiating  parts  at  some  factor  above  the  criteria 
environments  using  the  y  source  (simulating  the  ionizing  total  dose)  and  a 
nuclear  reactor.  100%  lot  sample  tests,  5  parts/lot  were  conducted.  The  average 
derated  parameter  values  were  then  used  as  the  design  standard  by  the  circuit 
designers  who  would  define  worst  case  values  of  the  parameters  where  the  circuit  in 
principle  would  not  work,  thus  establishing  a  design  margin  for  the  circuitry.  Unfor¬ 
tunately,  how  the  designer  established  these  worst  case  values  for  parameter  degrada¬ 
tion  was  not  usually  documented. 

One  disconcerting  thing  from  the  point  of  view  of  our  data  acquisition  was 
that  derating  values  for  n  and  irradiation  were  not  reported  separately. 

Failure  Mode  Identification 

Generally  degradation  of  the  individual  part  is  taken  to  cause  failure  of  the 
circuit.  For  some  RF  applications  the  entire  circuit  degradation  should  be  considered, 
but  no  such  circuits  are  present  in  the  AVCS  subsystem. 

Damage  Function  Analysis  for  Permanent  Degradation  from  Neutrons 

We  assume  that  the  free  field  environment  of  neutrons  is  unattenuated  to  the 
part  under  consideration.  Let  x..  represent  the  pretest  value  of  a  given  parameter, 
xn  the  post-test  irradiated  value.  Then  the  change  in  parameter  as  a  function  of  dose 

r  2 

(n/cm  )  is  assumed  to  be  given  by 

^  -  V  <3-3-» 
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where  is  a  constant  derived  from  the  FLTSATCOM  pre-  and  post- test  parameter 
values.  Recall  that  the  FLTSATCOM  deratings  did  not  distinguish  between  damage  from 
n  or  y.  As  a  worst  case  estimate  we  assume  that  neutrons  were  solely  responsible  for 
the  derated  values,  and  therefore  K  obtained  in  this  way  should  be  fairly  conserva¬ 
tive.  Then  if  we  represent  Xpm  as  the  minimum  (or  maximum)  acceptable  design  limit 
for  the  parameter  (which  is  provided  by  the  FSC  designer  in  the  FSC  CDR  package^) 
then  the  failure  criterion  for  fluence  is 


Vail 


(3.3-2) 


Since  K  was  based  on  measurements  of  X„  which  have  a  statistical  distribution  which 
n  p 

is  also  reported  in  the  CDR  package,  then  <j>j.  ^  also  has  a  distribution  which  is  by 
definition  the  damage  function. 

If  a  device  has  several  degraded  parameters,  the  minimum  value  of  <|>,  „  for 
all  parameters  w1'!!  be  employed  as  the  damage  function. 


Conversion  Between  Neutrons  and  X-ray  Fluence 

Since  both  X-rays  and  neutrons  are  "inverse  square"  effects,  it  is  pos¬ 
sible  to  convert  directly  from  neutron  fluence  to  X-ray  fluence.  Therefore,  the 
damage  function  can  be  displayed  on  the  same  graph  as  the  SGEMP  and  TREE  burnout 
damage  functions. 

Damage  Function  Analysis  for  Permanent  Degradation  From  Total  Ionizing  Dose 

The  same  analysis  above  will  apply  for  total  ionizing  dose,  except  Kn-*-K  . 

In  this  case,  however,  the  free  field  environment,  which  will  be  represented  en- 

2 

tirely  by  fission  electrons  (t  is  electrons/cm  ),  must  be  attenuated  to  the  parts 
in  question,  which  is  described  below. 

The  Trapped  Radiation  Handbook^  gives  a  nomograph  (Figure  3.3-1)  for  the 
depth  dose  for  fission  electrons  as  a  function  of  thickness  of  aluminum.  Now, 
FLTSATCOM  provides  20  mils  of  aluminum  shielding  by  its  satellite  panels  and  40  mils 
of  aluminum  shielding  by  its  electronics  boxes.  If  the  X-ray  shielding  of  the  boxes 
is  ignored  along  with  the  Kovar  packaging  of  the  devices,  this  shielding  represents 
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3  2 

60  mils  x  2.78  g/cm  =  0.42  g/cm  of  aluminum  shielding.  Using  the  nomograph  (Fig- 

2 

ure  3.3-1)  the  conversion  factor  from  free  field  environment  (e/cm  )  to  dose  at  the 

•8  2  60 
box  is  10~°  rads  (Si )/e/cm  .  Now  one  is  in  position  to  use  the  FSC  C°  derating  data 

which  were  reported  in  terms  of  rads  (Si),  and  the  damage  function  can  now  be  plotted 

as  a  function  of  <j>  . 

Unfortunately,  weapon  electrons  fluences  are  not  "inverse  square"  effects,  but 
depend  upon  the  altitude  of  burst  and  satellite  location  in  the  earth's  magnetic  field 
lines,  i.e.,  satellite  orbit,  as  well  as  yield.  Therefore  the  damage  function  for 
total  electron  dose  cannot  be  arrayed  on  the  same  graph  as  the  other  damage  functions, 
and  will  be  plotted  separately. 

Classification  of  Data 

The  only  class  of  parameters  required  to  assess  damage  are  a  given  part's  pre- 
and  post-test  irradiated  values,  and  the  worst-case  design  limit.  This  data  is  pro¬ 
vided  in  the  FSC  CDR  package.  The  parameters  that  are  likely  to  be  degraded  are:  B, 
common-mode  rejection  ratio,  offset  voltage,  etc. 

Preparation  of  the  Permanent  Degradation  Failure  Mode  Data  Sheet 

The  steps  for  filling  in  the  failure  mode  data  sheet  are  illustrated  in 
Table  3.3-1  where  an  example  is  given.  By  examining  the  FSC  Electrical  Schematic  Data 
Book^,  identify  the 

•  box  (unit)  number 
t  connector  number 

•  subassembly 

•  component 

3.4  FUNCTIONAL  UPSET 

History  of  FLTSATCOH  Hardening  Effort  for  Functional  Upset 

Functional  upset  is  defined  as  the  presence  of  a  transient  due  to  radiation 
that  causes  loss  or  degradation  of  a  mission  critical  function.  The  transient  require¬ 
ments  imposed  on  the  performance  of  FLTSATCOM  can  be  summarized  as  follows: 

a)  no  change  in  mode,  operational  status,  or  redundancy  configuration 

b)  no  change  in  location  or  orientation 

c)  no  undesired  processing  of  commands 
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d)  normal  operation  restored  in  X  seconds 

e)  no  loss  of  a  bit  at  operate  through  level  (communication  subsystem 
only) 

The  transient  effects  which  could  prevent  these  requirements  from  being  met  may  be 
due  either  to  irreversible  changes  in  circuitry  status  or  unacceptably  long  circuit 
recovery  times.  In  order  to  identify  functional  upset  failure  modes  functional  anal¬ 
ysis  was  performed  to  translate  the  FLTSATCOM  performance  criteria  into  specific 
transient  requirements  which  indicated  which  circuits  had  to  be  hardened  to  prevent 
unacceptable  transient  scrambling  and  to  define  allowable  circuit  outage  times  to 
satisfy  system  requirements.  Since  a  detailed  transient  analysis  of  each  circuit  in 
the  satellite  was  intractable,  an  alternative  simpler  approach  was  developed,  based 
on  the  concept  of  fault  tolerant  design. 

Fault  tolerant  design  as  implemented  in  FLTSATCOM  made  two  basic  assumptions. 
First,  since  all  circuits  would  be  exposed  in  the  same  short  time  interval  they  would 
recover  in  parallel,  implying  that  the  recovery  time  of  a  given  channel  would  be 
governed  by  the  recovery  times  of  the  circuits  with  the  longest  time  constants.  Thus, 
only  circuits  with  long  recovery  times  relative  to  the  allowable  outage  times  would 
require  attention.  Secondly,  it  assumed  that  all  circuits  that  can  be  upset  will  upset, 
regardless  of  environment  level,  thereby  making  the  hardening  effort  independent  of 
both  environment  and  level.  The  first  step  in  exercising  the  fault  tolerant  approach 
was  to  perform  a  functional  analysis  which  translated  the  transient  performance 
requirements  at  the  spacecraft  system-level  into  requirements  at  the  subsystem  and  com¬ 
ponent  levels. 

In  the  FLTSATCOM  functional  analysis,  the  spacecraft  was  divided  initially 
into  a  unique  set  of  functions.  Each  function  was  clearly  definable  in  terms  of  input 
and  output  requirements  at  the  system  level.  This  set  of  functions  completely 
described  all  spacecraft  performance  requirements  for  normal,  on-orbit  operations. 

For  example,  the  functions  performed  by  the  AVCS  include  S-band  command  processing  and 
spacecraft  orientation.  After  the  functions  were  defined,  each  one  was  divided  into 
its  component  functional  elements  where  each  functional  element  was  contained  within 
a  single  electronic  box.  Next,  a  failure  mode  and  effect  analysis  was  performed  on 
each  function  to  determine  the  system  effects  of  transient  upsets  in  the  various  func¬ 
tional  elements.  Transient  upsets  that  resulted  in  unacceptable  system  performance 
according  to  system-level  survivability  performance  requirements  were  identified  for 
hardening.  These  data  were  then  used  in  the  development  of  subsystem  and  box-level 
performance  requirements. 


Failure  Mode  Identification  for  Functional  Upset  j 

The  performance  requirements  for  the  AVCS  subsystem  are  shown  in  Fig-  1 

i 

ure  3.4-1.  The  identification  of  the  functions  therein  are  precisely  the  failure 
modes  in  this  assessment. 

Data  on  functional  upset  verification  that  the  subsystem  level  transient 
requirements  were  satisfied  on  the  AVCS  was  provided  by  Flash  X-ray  testing.  In 
these  tests  various  critical  logic  states  and  recovery  times  are  monitored  during 
six  shots  at  either  the  survive  or  operate-through  level  of  radiation.  The  data  col¬ 
lected  during  the  FXR  tests  indicate  the  parameter  value  measured  for  each  shot 
relative  to  their  performance  requirements. 

Preliminary  Assessment  Approach  for  Functional  Upset 

Since  the  hardening  approach  used  by  FLTSATCOM  for  functional  upset  is  based 
on  fault  tolerant  design  it  seems  entirely  consistent  to  also  use  fault  tolerance  with 
its  inherent  assumptions  as  the  basis  of  a  preliminary  assessment  methodology.  The  pri¬ 
mary  consequence  of  such  an  approach  is  that  the  functional  upset  assessment  can  then  be 
made  independent  of  the  environment.  This  would  enable  us  to  use  the  data  generated 
by  the  FXR  testing  of  the  AVCS  to  predict  survivability  of  the  subsystem  to  func¬ 
tional  upset.  Although  the  assessment  approach  is  as  yet  still  tentative  it  is  envi¬ 
sioned  as  follows.  Associated  with  each  electronic  box  of  the  AVCS  is  a  set  of  values 
for  critical  parameters,  e.g.,  recovery  times,  monitored  during  the  six  FXR  shots.  By 
using  the  data  associated  with  the  higher  survive  level  radiation  one  ensures  that  suf¬ 
ficient  energy  is  delivered  to  sensitive  electronics  to  upset  those  circuits  which  are 
disturbable.  The  experimental  data  for  each  of  the  six  FXR  shots  gives  a  cumulative 
distribution  of  sample  parameter  values.  This  distribution  can  in  turn  be  compared 
with  the  performance  requirements  value  to  obtain  the  probability  that  the  parameter 
remains  within  specification.  If  one  further  assumes  that  all  measured  parameters 
contribute  independently  to  the  box  survivability  one  can  obtain  the  probability  of 
survival  of  the  box.  Similarly,  box  survivabilities  can  be  combined  to  yield  AVCS 
function  survivability. 

Admittedly,  the  limited  data,  namely  that  from  only  6  FXR  shots,  will  provide 
a  very  limited  statistical  confidence  in  the  calculated  survivability.  However,  the 
constraints  of  the  preliminary  assessment  dictate  that  it  be  based  only  on  whatever 
data  presently  exists.  It  should  be  emphasized  that  this  assessment  approach  outlined, 
based  as  it  is  on  fault  tolerant  design,  will  give  a  probability  of  survival  that  is 
independent  of  environment. 


S-Band 

Command 

Processing 


AVCS  Command  Decoding 

This  element  includes  remote  decoding  matrices  located  in 
the  AVCS  Control  Electronics  Assembly  (CEA)  and  Actuation 
Electronics  Assembly  (AEA) .  The  proper  matrix  receives  the  data 
bits,  shift  clock,  and  enable  from  the  command  validation  and 
steering  element,  and  shifts  the  bits  into  a  shift  register. 

In  the  AVCS  decoding  elements  (three  each  in  the  AEA  and  one  in 
the  CEA) ,  the  command  word  is  telemetered  to  the  ground  for 
verification  and  is  not  executed  until  a  separate  execute  command 
processed  by  the  S-band  Command  Processing  function  through  the 
EIA  decoder,  is  received  by  the  CEA/AEA  decoding  elements.  Data, 
clock,  enable,  and  validate  lines  also  go  to  the  UHF  Command 
Decoder,  whose  function  will  be  described  in  a  later  section. 


Spacecraft 

Orientation 


Scan  Drive  and  Readout 

This  functional  element  drives  a  scanning  mirror  implemented 
so  that  the  earth  sensor  field  or  view  scans  across  the  earth 
disk.  The  scan  position  is  also  monitored  and  signals  are 
generated  giving  the  time  at  mid-scan  and  at  the  scan  limits. 


Radiance  Detection 

This  element  uses  a  thermistor  bolometer  to  detect  the  pre¬ 
sence  of  the  earth  disk  from  its  infrared  signal.  The  earth’s 
horizon  is  defined  by  the  time  the  bolometer  detects  the  change 
from  space  to  earth  radiance,  and  vice  versa. 

Error  Computation 

This  element  performs  the  initial  earth-pointing-error 
computation  by  comparing  the  earth  horizon  detection  and  the 
scanning  mirror  position  time  phasing.  The  error  signal  is 
supplied  to  the  earth  sensor  processing  element  for  further 
use.  The  scan  drive  and  readout,  and  radiance  detection  and 
error  computation  functional  elements  are  implemented  in  the 
Earth  Sensor  Assembly. 

Earth  Sensor  Processing 

This  element  operates  on  the  earth  pointing  errors  produced 
by  the  error  computation  element  to  generate  two  earth  pointing 
errors,  a  pitch  error  and  a  roll/yaw  error.  Each  of  these 
errors  is  averaged  over  a  x-second  sampling  period,  and,  for 
the  next  x-second  period,  the  pitch  error  is  supplied  to  the 
wheel  control  element  and  the  roll/yaw  error  to  the  thruster 
control  element. 


Potential  Transient  Failure  Modes 


AVCS  Command  Decoding 

Transients  could  cause  logic  scrambling  resulting  in  loss  of  a  command, 
an  acceptable  failure  mode.  If  a  burst  occurs  while  a  command  is  being 
decoded  an  undesired  command  can  be  processed,  also  an  acceptable  failure 
mode,  because  of  the  low  probability  of  such  an  occurrence.  However,  if 
the  decoding  matrix  outputs  can  be  activated  by  transient  response  for  a 
sufficiently  long  time,  an  undesired  command  could  be  carried  out  at  any 
time.  This  failure  mode  must  be  prevented. 


AVCS  Command 
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Scan  Drive  and  Readout,  Radiance  Detection,  and  Error  Computation 

These  three  elements  make  up  the  Earth  Sensor,  the  primary  reference 
sensor  for  the  normal  AVCS  control  mode.  Transient  upset  can  occur 
causing  false  timing  signals,  false  earth  detection  signals,  or  false 
error  signals  to  be  generated.  These  errors  will  be  propagated  through 
the  Spacecraft  Orientation  function  and  spurious  actions  may  be  taken 
based  on  these  erroneous  signals.  The  magnitude  of  the  effects  of  these 
spurious  actions  on  the  spacecraft  pointing  accuracy  depends  on  the 
maximum  levels  and  durations  of  the  false  error-signals.  In  general,  the 
errors  will  persist  until  the  next  error  sampling  operation  is  initiated, 
in  approximately  x  second. 
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Earth  Sensor  Processing 

In  the  earth  sensor  processing  element,  the  digital  pointing  angle 
error  is  stored  in  a  register  for  the  x-second  sampling  time,  and  is 
concurrently  converted  to  an  analog  voltage  signal  for  use  by  the  wheel 
and  thruster  control  elements.  The  holding  register  could  scramble  due 
to  an  event  and  present  a  false  pointing  error  to  the  control  laws  for 
up  to  x  second.  Response  to  a  false  pointing  error  signal  could  cause 
a  real  pointing  error  to  be  introduced.  A  worst  case  failure  mode  could 
be  hypothesized  as  follows:  a  burst  occurs  as  the  data  are  being  trans¬ 
ferred  from  the  error  computation  to  the  earth  sensor  processing  element, 
scrambling  both  the  error  computation  shift  register  and  the  sensor 
processing  holding  register;  the  holding  register  erroneous  data  will  be 
supplied  to  the  control  elements  for  x  second,  then  the  residual  error 
from  the  shift  register  will  be  transferred  to  the  holding  register  for 
the  next  x-second  period.  Thus,  a  false  error  signal  could  persist  for 
up  to  x  seconds.  The  preceding  analysis  ha::  shown  that  this  x-second  error 
time  is  acceptable. 
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Survivability  Transient  Requirements 
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AVCS  Command  Decoding 

Transients  in  the  conroand  decoding  elements  shall  not  cause  the  pro¬ 
cessing  of  a  command  during  the  time  that  no  command  is  being  transmitted; 
however,  the  hardening  of  command  storage  registers  in  order  to  avoid 
register  upset  during  the  time  that  a  command  is  being  transmitted  and 
processed  is  not  required. 


Scan  Drive  and  Readout,  Radiance  Detection  and  Error  Computation 
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Earth  Sensor  Processing 

Transients  in  the  Earth  Processing  Electronics  (EPE)  shall  have  sub¬ 
sided  in  such  time  that  only  one  earth-sensor  sampling  period  shall  be 
directly  effected.  In  the  case  where  an  event  occurs  during  the  time  when 
data  is  being  transferred  from  the  ESA  to  the  EPE,  then  two  ESA  sampling 
time  periods  may  be  affected. 


Figure  3.4-1.  Failure  Mode  Data  Sheets  for 
Functional  Upset  of  AVCS 
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Function 


Functional  Element  Description 


Spacecraft  Wheel  Control 

Orientation  this  eiement  impiements  the  pitch  axis  control  laws.  The  pitch 

error  input  operates  through  the  control  transfer  function  and 
causes  a  wheel  speed  error  signal  to  be  generated  which  changes 
the  wheel  speed  in  the  direction  causing  the  pitch  error  to  de¬ 
crease.  The  wheel  control  element  also  generates  signals  to 
fire  thrusters,  causing  excess  wheel  momentum  to  be  unloaded. 

Thruster  Control 

The  Thruster  Control  element  implements  the  roll/yaw  axis 
control  law.  The  roll/yaw  error  input  operates  through  the 
control  transfer  function  and  causes  thruster  firings  oriented 
toward  removing  the  roll/yaw  error. 

Command  Logic  Processing 

This  element  accepts  decoded  commands  for  the  AVCS  from 
the  S-band  Command  Processing  function  and  performs  operations 
on  the  commands  based  on  a  pre-set  logic  configuration  to 
generate  conditional  command  and  logic  configurations  for 
use  by  other  AVCS  functional  elements.  The  earth  sensor 
processing,  wheel  control,  thruster  control,  and  command 
logic  processing  functional  elements  are  implemented  in  the 
CEA. 

Power  Switching 

This  element  switches  regulated  power  from  the  spacecraft 
equipment  converter  to  the  various  AVCS  user  equipment.  ON/ 

OFF  and  redundancy  control  is  included.  The  wheel  driving, 
valve  driving,  and  power  switching  functional  elements  are 
implemented  in  the  AEA. 

Wheel  Driving 

This  element  uses  the  wheel  control  output  to  drive  the 
reaction  wheel  at  the  correct  speed  such  that  the  spacecraft 
rotates  about  the  pitch  axis  once  for  every  revolution  around 
the  <;arth.  The  wheel  drive  element  also  senses  the  wheel 
speed  and  supplies  this  value  to  the  wheel  control  element 
so  that  momentum  dumping  requirements  can  be  assessed. 

Valve  Driving 

This  functional  element  converts  the  thruster  firing 
signals  into  valve  solenoid  currents  so  that  the  thrusters 
will  fire.  Provision  for  specific  thruster  selection  and 
enabling  to  prevent  undesired  firings  is  included. 


Figure  3.4-1.  Failure  Mode  Data  Sheets 
for  Functional  Upset  of 
AVCS  (Continued) 
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Potential  Transient  Failure  Modes 


Wheel  Control and  Thruster  Control 


pitch 


Transient  upset  recovery  times  in  the  analog  circuits  of  these 
control  law  elements  will  be  very  short  compared  with  the  X-  to  x- 
second  sensor  processing  holding  register  upset  times.  Therefore 
these  transient  response  times  will  not  significantly  affect  pointing 
error.  However,  both  of  these  elements  contain  timing  circuits  and  one- 
shots  which  may  be  triggered  and/or  scrambled.  Transient  upset  of  these 
circuits  will  not  contribute  to  spacecraft  pointing  error,  but  may  only 


cause  a  small  increase  in  reaction  control  gas  usage  for  a  short  time 
(less  than  X  hour)  . 


Command  Logic  Processing  and  Power  Switching 


These  functional  elements  provide  logic  processing  for  decoded  commands 
which  set  AVCS  mode,  status  and  redundancy  configuration.  No  transient 
response  which  could  cause  change  of  mode  or  configuration  is  acceptable. 


Transients  in  the  wheel  driving  function  will  have  minimum  effect 
on  the  wheel  speed;  the  wheel  motor  time  constant  is  too  long  to  respond 
to  the  relatively  short  circuit  upset  times.  The  only  significant  failure 
mode  in  the  wheel  driving  element  is  a  possible  extraneous  tachometer 
pulse  output  to  the  wheel  control  element.  Likewise,  the  time  constants 
associated  with  valve  solenoids  are  coo  long  to  respond  to  short-term 
transients  in  the  valve  drive  circuits.  The  valve  driving  element  could 
cause  extraneous  valve  firing  only  through  a  combination  of  failures: 
undesired  enabling  of  one  or  more  valve  drivers;  mode  change  allowing 
selection  of  one  or  more  valve  drivers;  and  scrambling  of  the  correct 
combination  of  precession,  AV,  or  backup  keydown  registers,  initiating 
firing  of  one  or  more  of  the  unintentionally  selected  and  enabled  thrusters. 
This  failure  mode  must  be  prevented  since  it  might  cause  loss  of  earth 
pointing  accuracy. 
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Survivability  Transient  Requirements 


Wheel  Control  and  Thruster  Control 

Transients  shall  not  cause  signals  to  be  issued  to  the  Auxiliary 
Electronics  Assembly  (AEA)  so  as  to  cause  any  thiuters  to  fire  or  the 
reaction  wheel  speed  or  direction  to  change  so  that  the  requirements 
of  SS7-20  are  not  met. 


Command  Logic  and  Power  Switching 

Transients  whall  not  cause  mode  changes  to  occur  in  the  CEA  while 
in  the  normal  mode,  so  as  to  change 

a)  the  routing  of  control  signals  in  the  CEA 

b)  gains,  time  constants,  or  other  parameters  outside  the  limits. 

Transients  in  the  AEA  shall  not,  while  in  the  normal  mode,  cause 
any  change  in  mode,  redundancy,  configuration,  or  operational  status. 


Wheel  Driving  and  Valve  Driving 

Transients  in  the  AEA  shall  not,  while  in  the  normal  mode,  cause 
any  change  in  mode,  redundancy  configuration  or  operational  status, 
including 

a)  the  enabling  of  thrusters  not  a  part  of  the  normal  mode 

b)  the  disabling  of  thrusters  previously  enabled  for  the  normal  mode. 

Transients  shall  not  cause  any  thrusters  to  fire  or  not  to  fire,  or 
the  reaction  wheel  speed  of  direction  to  change  such  that  the  requirements 
are  not  met. 


Assembly  (SSA).  Table  3.5-1  summarizes  the  critical  components  for  either  thermome¬ 
chanical  or  total  dose  degradation  in  each  subassembly  of  the  AVCS. 

Preliminary  Assessment  Approach  for  Nonelectronic  Components 

The  survivability  verification  done  on  FLTSATCOM  has  indicated  the  critical 
nonelectronic  components  of  the  AVCS  which  are  susceptible  to  radiation  effects.  The 
assessment  would  begin  with  a  functional  analysis  to  indicate  what  performance  cri¬ 
teria  are  required  for  these  critical  components  to  ensure  no  loss  or  degradation  of 
satellite  functions.  Next,  one  must  determine  at  what  environment  these  criteria  are 
no  longer  satisfied,  i.e.  determine  the  component  failure  environment.  For  those 
materials  susceptible  to  thermomechanical  effects  the  melting  and  sublimation  energy 
must  first  be  identified.  The  fluence  to  melt  or  sublime  the  material  could  then  be 
estimated  under  the  assumption  that  the  incident  blackbody  temperature  maximized  the 
energy  deposition  in  the  material.  Similarly,  data  must  be  accumulated  to  identify 
the  total  dose  required  to  damage  those  materials  susceptible  to  ionization  damage. 
This  total  dose  value  can  then  be  converted  to  an  equivalent  fluence  failure.  If  we 
assume  uncorrelated  failure  of  components,  it  is  possible  to  identify  the  subsystem 
fluence-to-fail  with  that  of  the  softest  critical  component.  It  is  likely  that  the 
materials  will  have  much  higher  failure  fluences  than  the  electronic  components  and 
therefore  will  require  no  detailed  analysis. 


Table  3.5-1.  AVCS  Critical  Nonelectronic  Components' 
for  Radiation  Damage 


Subassembly 

Critical  Components 

Damaging  Effect 

RWA 

none 

SADA 

slip  ring  assembly 

thermal  effects 

ESA 

germanium  lens 

thermomechanical 

SSA 

thermal  control  materials 
Sylgard-182 

vacuum  deposited  nickel 

thermomechanical 
total  dose  degradation 
thermomechanical 
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